Very good, you covered all the required bases. What you however should arguable always do, is put your APIs behind an API gateway (or reverse proxy) and let that throttle the responses. That way you don’t need to load your services with throttling code, which is not their primary function. You can declaratively manage the rates on a centralized point based on policies ranging from roles to ip networks. As you will not want to limit API speeds from your back office for example. Also an API gateway (reverse proxy) can be a termination point for TLS, although you should have imo always TLS also on your API as long as you automatically manage the certificates so that they are automatically refreshed when it’s time. And also your API should authenticate itself with service principle or manage identity. And in our industries we even do not allow interpreted languages because we want to be able to sign the runtime that is statically linked so nobody can sneakily change out the service or a library and exfiltrate data. Our custom API gateway actually checks the signature of the binary everything the API refreshes its access token or requests an access token. If it doesn’t match with what we told the api gateway it should be it won’t start. And those signatures we put in a keyvault that the API gateway may read.

I great that you mention it, Errors is something no one makes tutorials or mention as something important.

Working on a backend project, and all checked ✅ Great video 👏🏾

i also like to use an application token to my back-end systems, which i use to allow only my front-end client to access by registering the same application token on environment variables, then i pass this app token in request headers, this way only my applications can make requests on the server

I like the bg change for every section, nice touch.

Great stuff as always! Little take from me: I'm of the opinion that one should never deliberatly throw a 500. A 500 to me indicates an unhandled exception that a developer always needs to look at :) when it appears so it doesn't make sense to throw it if it can be helped. There are always 4xx alternatives.

Big part of input validation that was left out of this is protecting against SQL injection if using a SQL db, which is likely. Always at the very least use something like Pg with parameterized queries if not using an ORM. Very good overview otherwise.

Great video. Could you do a video on really thorough error handling in typescript. It would be great to include a simple try catch, and something more complex where there are multiple async steps taking place. Perhaps even including utility functions and where you would put the try catch and why. I think this is a hard thing to do really well.

I hope you make a complete tutorial on this steps.

I would love to see a full video of protecting API as you said.

You only talked about oauth2 oidc flows which is typically for sso or granting scopes/permissions to 3rd party with resource owner's consent but what about a simple 3rd party accessing your apis, in such cases you may share a key with 3rd party and have 3rd party generate and share in request something like a checksum Md5 of 'payload + secret key' validating which shall ensure the authenticity of your 3rd party which adds to the security of the api

I love token based rate limiting, because u can separate time from attempts. Example, loging route 3 tokens for 60 minutes to stop brute force, but for another end point, 50 tokens per minute, so that way legit users can do a big paginated request in high speed once, but not repeatedly to not overload

Great video, Josh! I do all of that, but for rate limiting I’ve never used Upstash. Do you have a video using that in one of your projects so I can check it out?

Good summary. I'm doing all of the same things 👍

Thank you so much josh

Congratulations on the video ! Can you do a tutorial on this topic?

Input validation is not only important for the sake of security but also for not breaking your app in development. It might always happen that accidentally malformed or erroneous data ends up in your database in the worst case taking down the whole app, so you waste time finding that data. If you do it properly right from the start you are protected against that _plus_ against malicious requests.

To secure your API just follow the best practices and standard approach. Most of the modern API frameworks follow those, sometimes you just need to configure them.

Hi Josh, nice video! Love your channel, always bring relevant content! Could you please expand a little more on some of the steps, specially auth/authorization and rate limiting? It would be very nice if you brought some example code in github, good patterns, useful libraries, caveats, etc. Thank you so much for your work!

Many thanks for these tips! Wondering how this works in nextjs? Also an idea for a vid: arm wrestling dates and timezones due to passing dates between client and server components. My data is in UTC in my db but stuff like 'Today" for the client means something different for db calls than on the server. Love your channel!

I really like this video and also the discussion in the comments as it goes far beyond the typical videos on APIs. They’re mostly about how to develop but not how to secure APIs. One question about input validation. I validate user input with zod but strings mostly only with z.string(). I don’t use any further regex validation or so. I use prisma as an ORM and I currently “trust” Prisma to handle input strings in a secure manner. I haven’t found any information if Prisma does so or not and I am a little bit lost. 😅 Should I validate my input strings even more (e.g using regex?) or should I trust Prisma ORM? 🎉

Please make a video on "How to securely handle environment variables in frontend?"

Hi @joshtriedcoding, thanks for the insight. I really appreciate. I have a little request, are you able to make a video where you build a demo API that show case the things you’ve talked about here. I would really love to get a bit more clarity on that. Thanks in advance.

Do you mind making a video explaining these steps by creating an API?

This is very useful. Thanks.

great video

Another awesome video man, thanks! I was hoping you would touch on CSRF too

Thank you, josh

Super useful... Thanku Josh

HTTPS won't stop a man-in-the-middle attack. If someone is snooping when you pass off encryption keys, it's not longer encrypted.

What if my Frontend website doesn't require the user to login

Summary 1- Use https 2- Authorize user in API 3- Rate limiting the API 4- Validation of data passed in API 5- Error handling

Hi Josh! Please I'm confused about the session token and jwt can you please shed more light. The whole Auth stuff confuses me

Awesome video

Impressive, very nice. Let's see Paul Allen's api security.

Great video!

👏

I love your videos nice work, however, your error handling does not look so great. How do you handle uncaught exceptions and unhandled rejections in one go? Those can be handled using middleware which you can only call once throughout the server.

Awesome 👍

What sort of performance impact does the API get by adding a call out to do the rate limiting checks? If you are checking tokens, a session cookie and rate limit could that impact the API performance enough that it's noticeable?

Love ur videos ❤

also you should also secure for xss attacks!!

Can you make a series of building full stack websites whenever you have a time

Another one is "Versioning" extremely necessary for update and patches

An extra additional step that I follow is generating the current time in milis and then making it a signed token which will be in the "key" parameter in the API link. Then when the API is hit it first verifies the key value token and then compares it with the current time of the API server and if the time passes more than 10 seconds API responds with a 401 not authorised response. because both times come from the same server it never gets the wrong time in milis. Even though if the request server and API server are different milis would be the same for any timezone of the world.

except, error handling is a nightmare in nextjs... try/catch spam and copy paste catch block on every route u create

Make a video to log data. If a error happens send to a server the error or logs

Can you make a video on you vscode setup

I think error handling is off-topic

Bro you missed the one of the most secure section and that was ACID. Transaction How to revert those transactions which executed but they failed at the end At that time our data will get corrupted Hope you explain me or make video on this Thanking you in advance

Just leaving it here,for when I come back to the video in the future... 1. HTTPS 2. Auth 3. Rate Limiting 4. Input Validation 5. Error Handling

if i have two functions in pages/api/posts/index.ts which function gets invoked when making an api request? also how can I define the method for said functions in next js api routes?

Csfr?

Timing errors!!

Thanks. I think it would help if you did a video on passing tokens by http header vs passing tokens as cookies.

Great video. I would say there is a very important 6th step. Maybe more important than the 5th one. Monitoring. We would like to know if our Server is being attacked, down or returning errors etc. So we can take action towards it. Thanks for the curation tho 🙏🏻👍🏻🫶🏻

JordIndian fans. here --->