In my previous blog, I blogged on suggestions for securing APIs. However, I've been pondering on how to further secure against Man In Middle Attacks (MIMA). Even if API endpoints were protected via authorization/authentication scheme, the client access token can still be sniffed and intercept by man in the middle. Authentication process also requires credentials data to be posted in exchange for an access token, these credentials data can also be stolen by man in middle.

Design Considerations

In securing APIs, the must have basic security package would include

• Endpoints protected via Authorization/Authentication scheme
• Enforce use of HTTPS

On the client side such as mobile apps, we should consider 

• SSL/TLS (Certificate) pinning - I will blog about this with pactical examples some time later
• Multi factor authenication functionality, if possible

Finally,

• safeguard against DDOS using WAF or some DDOS protection services

This would be at least, an overall good basic security package. What do you think ?

Time for supper. Peace and out.