API Security Best Practices

AC.

The correct answers are A and C.

A. Use tokens after the identity of a client has been established: This is a common practice for securing APIs. After a client has been authenticated, a token is generated that can be used to access the API. This token is usually time-limited and is used to identify the client on subsequent API calls. This method ensures that only authorized clients can access the API.

C. Use encryption and signatures to secure data: Encryption is the process of converting plain text into ciphertext, which is unreadable without a key to decrypt it. Signatures are a way of verifying that the data has not been tampered with. Together, encryption and signatures help to ensure the confidentiality, integrity, and authenticity of data.

B. Use the same operating system throughout the infrastructure: This is not a security best practice for APIs. It is usually not feasible to use the same operating system throughout an infrastructure, and even if it were, it would not necessarily improve security.

D. Use basic auth credentials over all internal API interactions: This is not a security best practice. Basic authentication sends the username and password in plain text, which can be intercepted and read by attackers.

E. Use cloud hosting services to manage security configuration: While cloud hosting services can provide security benefits, it is not a best practice to rely solely on them for API security. It is important to have a layered approach to security that includes multiple measures, such as encryption, authentication, and access control.