How to Secure Public APIs: Essential Measures and Java Implementation Guide

Preface

Recently I needed to expose an API with a public domain name that handles transaction orders, so security is critical. Below is a summary of common security measures and how to implement them.

Security Measures

Security can be divided into two aspects: protecting data during transmission and ensuring the server can correctly identify and protect incoming data.

1. Data Encryption

Plain HTTP transmits data in clear text, making it easy to sniff. Critical fields (e.g., passwords) should be encrypted (e.g., MD5). The mainstream approach is to use HTTPS, which adds an SSL layer between HTTP and TCP to handle encryption and decryption.

2. Data Signing

Signing generates an unforgeable string to guarantee data integrity. Even with HTTPS, signing is useful for internal service calls where data may traverse multiple hops.

3. Timestamp Mechanism

Including a timestamp in each request allows the server to reject messages older than a configurable window (e.g., 5 minutes), preventing replay attacks.

4. AppId Mechanism

Only clients with a registered AppId and secret can call the API. The request must include both, and the server validates them.

5. Rate‑Limiting

To prevent abuse, apply rate‑limiting per AppId using algorithms such as token‑bucket, leaky‑bucket, or simple counters.

6. Blacklist Mechanism

AppIds that exhibit malicious behavior can be placed on a blacklist, causing immediate request rejection.

7. Data Validation

Validate that incoming data conforms to expected formats (e.g., ID length, phone number pattern) before processing.

How to Implement

1. Data Encryption

Modern encryption uses symmetric (DES, AES) and asymmetric (RSA) algorithms. HTTPS combines both: asymmetric keys establish a secure channel, then symmetric encryption handles the bulk data.

2. Data Signing

MD5 is commonly used to create a signature string from the request parameters and a shared secret.

str = "param1={param1}&param2={param2}&...&paramN={paramN}";
key = {userSecret};
MD5.encrypt(str);

3. Timestamp Mechanism

After decryption and signature verification, compare the client timestamp with the server time.

long interval = 5 * 60 * 1000; // 5 minutes
long clientTime = request.getParameter("clientTime");
long serverTime = System.currentTimeMillis();
if (serverTime - clientTime > interval) {
    return new Response("Request timed out");
}

4. AppId Mechanism

Generate a unique AppId and a random secret. Prefer properties such as monotonic increase for indexing and non‑sequential patterns for security. Global uniqueness can be achieved with Snowflake‑style IDs.

5. Rate‑Limiting

Common algorithms:

Token‑bucket: tokens are added at a fixed rate; requests consume tokens.

Leaky‑bucket: requests are processed at a constant rate; excess requests are dropped.

Counter: limits total concurrent requests within a time window.

Guava’s RateLimiter implements a token‑bucket:

RateLimiter rateLimiter = RateLimiter.create(5); // 5 permits per second

This limits a single instance to five concurrent requests per second. For distributed limiting, use Redis + Lua scripts.

6. Blacklist Mechanism

Maintain a blacklist (e.g., in a distributed config center) and reject any request whose AppId appears on the list.

7. Data Validation

Validation includes:

Signature, required fields, length, type, format checks.

Business rules (e.g., order amount > 0).

Conclusion

The article lists common API security mechanisms: data encryption, signing, timestamp validation, AppId authentication, rate limiting, blacklist handling, and data validation. Additional measures may exist and are welcome for discussion.