ABSTRACT

In this tutorial, you’ll dive into the fundamentals of API security for Python applications. You’ll learn best practices and patterns for API authentication and authorization and for API security by design.

We’ll go through the OWASP top 10 API vulnerabilities. We’ll see practical examples of how they occur, including examples from real-world APIs. We’ll analyze the vulnerabilities, understand what the attack vectors are, and how we address them.

You’ll learn how Open Authorization (OAuth) and OpenID Connect (OIDC) work for APIs. You’ll learn about the risks and advantages of using these protocols, known vulnerabilities, and best practices to avoid them. You’ll also learn about JSON Web Tokens (JWTs) and how to use them correctly for access authorization.

Finally, you’ll learn how to automate the process of detecting and addressing security vulnerabilities in your APIs using fuzzy testers like schemathesis and design-testing tools like spectral.

Throughout the tutorial, we’ll use examples of OpenAPI specifications, and code examples in Flask and FastAPI. You’ll make the best out of the tutorial if you have some experience working with APIs.

If you work with APIs (who doesn’t!), I’d love to welcome you to this tutorial to learn how to build and deliver secure APIs!