zhongwei/gh-project-codeguard-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0f14e8d5a1fa16d96560bdf1d47749e94ef003c5
gh-project-codeguard-rules/skills/software-security/rules/codeguard-0-api-web-services.md
Zhongwei Li 0f14e8d5a1 Initial commit
2025-11-30 08:48:30 +08:00

4.3 KiB
Raw Blame History

description, languages, alwaysApply
description languages alwaysApply
API & Web services security (REST/GraphQL/SOAP), schema validation, authn/z, SSRF
c
go
java
javascript
php
python
ruby
typescript
xml
yaml
false

rule_id: codeguard-0-api-web-services

API & Web Services Security

Secure REST, GraphQL, and SOAP/WS services endtoend: transport, authn/z, schema validation, SSRF controls, DoS limits, and microservicesafe patterns.

Transport and TLS

  • HTTPS only; consider mTLS for highvalue/internal services. Validate certs (CN/SAN, revocation) and prevent mixed content.

Authentication and Tokens

  • Use standard flows (OAuth2/OIDC) for clients; avoid custom schemes. For services, use mTLS or signed service tokens.
  • JWTs: pin algorithms; validate iss/aud/exp/nbf; short lifetimes; rotation; denylist on logout/revoke. Prefer opaque tokens when revocation is required and central store is available.
  • API keys: scope narrowly; rate limit; monitor usage; do not use alone for sensitive operations.

Authorization

  • Enforce perendpoint, perresource checks serverside; deny by default.
  • For microservices, authorize at gateway (coarse) and service (fine) layers; propagate signed internal identity, not external tokens.

Input and Content Handling

  • Validate inputs via contracts: OpenAPI/JSON Schema, GraphQL SDL, XSD. Reject unknown fields and oversize payloads; set limits.
  • Content types: enforce explicit ContentType/Accept; reject unsupported combinations. Harden XML parsers against XXE/expansion.

SQL/Injection Safety in Resolvers and Handlers

  • Use parameterized queries/ORM bind parameters; never concatenate user input into queries or commands.

GraphQLSpecific Controls

  • Limit query depth and overall complexity; enforce pagination; timeouts on execution; disable introspection and IDEs in production.
  • Implement field/objectlevel authorization to prevent IDOR/BOLA; validate batching and rate limit per object type.

SSRF Prevention for Outbound Calls

  • Do not accept raw URLs. Validate domains/IPs using libraries; restrict to HTTP/HTTPS only (block file://, gopher://, ftp://, etc.).
  • Case 1 (fixed partners): strict allowlists; disable redirects; network egress allowlists.
  • Case 2 (arbitrary): block private/linklocal/localhost ranges; resolve and verify all IPs are public; require signed tokens from the target where feasible.

SOAP/WS and XML Safety

  • Validate SOAP payloads with XSD; limit message sizes; enable XML signatures/encryption where required.
  • Configure parsers against XXE, entity expansion, and recursive payloads; scan attachments.

Rate Limiting and DoS

  • Apply perIP/user/client limits, circuit breakers, and timeouts. Use serverside batching and caching to reduce load.

Management Endpoints

  • Do not expose over the Internet. Require strong auth (MFA), network restrictions, and separate ports/hosts.

Testing and Assessment

  • Maintain formal API definitions; drive contract tests and fuzzing from specs.
  • Assess endpoints for authn/z bypass, SSRF, injection, and information leakage; log token validation failures.

Microservices Practices

  • Policyascode with embedded decision points; sidecar or library PDPs.
  • Service identity via mTLS or signed tokens; never reuse external tokens internally.
  • Centralized structured logging with correlation IDs; sanitize sensitive data.

Implementation Checklist

  • HTTPS/mTLS configured; certs managed; no mixed content.
  • Contract validation at the edge and service; unknown fields rejected; size/time limits enforced.
  • Strong authn/z per endpoint; GraphQL limits applied; introspection disabled in prod.
  • SSRF protections at app and network layers; redirects disabled; allowlists where possible.
  • Rate limiting, circuit breakers, and resilient patterns in place.
  • Management endpoints isolated and strongly authenticated.
  • Logs structured and privacysafe with correlation IDs.

Test Plan

  • Contract tests for schema adherence; fuzzing with schemaaware tools.
  • Pen tests for SSRF, IDOR/BOLA, and authz bypass; performance tests for DoS limits.
  • Test all HTTP methods per endpoint; discover parameters in URL paths, headers, and structured data beyond obvious query strings.
  • Automated checks for token validation and revocation behavior.
Reference in New Issue View Git Blame Copy Permalink