OWASP REST API Security Compliance

AnkaSecure achieves 100% compliance with the OWASP REST API Security Cheat Sheet, implementing all recommended security controls across the entire platform.

---

Compliance Status

Achievement: ✅ 100% OWASP REST API Security Compliant

Validation Date: October 2025

Scope: All AnkaSecure platform services (7 microservices)

---

OWASP Security Controls Implemented

1. Authentication & Authorization

JWT Standard Claims Validation ✅

OWASP Requirement: Validate all JWT standard claims

Implementation: AnkaSecure validates 4 mandatory JWT claims on every authenticated request:

Claim	Validation	Purpose
iss (Issuer)	Must match configured issuer URI	Prevents token reuse across systems
aud (Audience)	Must include target service	Prevents token misuse for different services
exp (Expiration)	Timestamp must be in the future	Prevents use of expired tokens
nbf (Not Before)	Timestamp must be in the past	Prevents premature token use

Customer Benefit: - 🔒 Tokens cannot be reused across different tenants or services - 🔒 Expired tokens are automatically rejected - 🔒 Tokens are service-specific (API token ≠ Admin token)

Error Response (401 Unauthorized):

{
  "error": "AUTH_001",
  "message": "Token validation failed: token expired",
  "timestamp": "2025-12-26T10:15:30Z",
  "traceId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

See authentication guide →

---

2. Secrets Management

Zero Hardcoded Secrets ✅

OWASP Requirement: Never hardcode secrets in source code or configuration files

Implementation: AnkaSecure uses external secret management:

• ✅ Docker Swarm Secrets (for containerized deployments)
• ✅ Environment Variables (runtime configuration)
• ✅ External Secret Managers (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)

Secrets Protected: - Database passwords - Redis credentials - JWT signing keys - HSM PIN codes - API keys for external services

Customer Benefit: - 🔒 No secrets exposed in code repositories - 🔒 Secrets rotated without code changes - 🔒 Audit trail for secret access

Verification: Run static analysis tools (e.g., git-secrets, truffleHog) on AnkaSecure codebase - zero secrets found.

---

3. HTTP Security

HTTP Method Whitelisting ✅

OWASP Requirement: Allow only necessary HTTP methods

Implementation: AnkaSecure explicitly whitelists safe HTTP methods:

Allowed Methods: - ✅ GET - Read operations - ✅ POST - Create operations - ✅ PUT - Update operations (full replacement) - ✅ PATCH - Update operations (partial modification) - ✅ DELETE - Delete operations - ✅ OPTIONS - CORS preflight

Blocked Methods: - ❌ TRACE - Prevents XSS attacks - ❌ HEAD - Not required for API operations - ❌ CONNECT - Not applicable to REST APIs - ❌ Custom methods - Only standard HTTP methods allowed

Customer Benefit: - 🔒 Reduced attack surface - 🔒 Prevention of HTTP verb tampering - 🔒 Protection against TRACE-based XSS

Error Response (405 Method Not Allowed):

{
  "error": "HTTP_METHOD_001",
  "message": "HTTP method TRACE is not allowed",
  "allowedMethods": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
}

---

Content-Type Validation ✅

OWASP Requirement: Validate Content-Type header for request bodies

Implementation: All endpoints accepting request bodies (POST, PUT, PATCH) validate:

• ✅ Content-Type: application/json - Required for JSON payloads
• ❌ Missing Content-Type → 415 Unsupported Media Type
• ❌ Incorrect Content-Type → 415 Unsupported Media Type

Customer Benefit: - 🔒 Prevention of content confusion attacks - 🔒 Enforcement of expected payload format - 🔒 Protection against MIME-sniffing vulnerabilities

Error Response (415 Unsupported Media Type):

{
  "error": "CONTENT_TYPE_001",
  "message": "Content-Type must be application/json",
  "receivedContentType": "text/plain",
  "expectedContentType": "application/json"
}

---

4. Security Headers

AnkaSecure implements all 5 OWASP-required security headers on every HTTP response:

Header 1: Cache-Control ✅

Value: Cache-Control: no-store, no-cache, must-revalidate, private

Purpose: Prevent caching of sensitive data

Protection: - 🔒 Browsers never cache API responses - 🔒 Proxy servers cannot cache sensitive data - 🔒 JWT tokens never cached locally - 🔒 Cryptographic operation results never cached

Customer Benefit: Sensitive data (encrypted payloads, keys, tokens) never persists in browser cache or proxy servers.

---

Header 2: X-Frame-Options ✅

Value: X-Frame-Options: DENY

Purpose: Prevent clickjacking attacks

Protection: - 🔒 API responses cannot be embedded in <iframe> - 🔒 Drag-and-drop attacks prevented - 🔒 UI redressing attacks blocked

Customer Benefit: Your application's API calls cannot be hijacked via clickjacking.

---

Header 3: X-Content-Type-Options ✅

Value: X-Content-Type-Options: nosniff

Purpose: Prevent MIME-sniffing attacks

Protection: - 🔒 Browsers respect Content-Type header strictly - 🔒 JSON responses cannot be misinterpreted as HTML - 🔒 XSS attacks via MIME confusion prevented

Customer Benefit: Prevents browsers from executing API responses as scripts.

---

Header 4: Strict-Transport-Security (HSTS) ✅

Value: Strict-Transport-Security: max-age=31536000; includeSubDomains

Purpose: Force HTTPS for all connections

Protection: - 🔒 Browser enforces HTTPS for 1 year - 🔒 SSL stripping attacks prevented - 🔒 All subdomains protected - 🔒 Certificate spoofing mitigated

Customer Benefit: All communications guaranteed to be encrypted via TLS.

---

Header 5: Content-Security-Policy ✅

Value: Content-Security-Policy: frame-ancestors 'none'

Purpose: Modern clickjacking protection (supersedes X-Frame-Options)

Protection: - 🔒 More flexible than X-Frame-Options - 🔒 Better browser support for modern apps - 🔒 Prevents framing from any origin

Customer Benefit: Enhanced clickjacking protection with modern CSP standard.

---

5. Rate Limiting & DoS Protection

Multi-Layer Rate Limiting ✅

OWASP Requirement: API4:2023 - Unrestricted Resource Consumption

Implementation: Defense-in-depth with two layers:

Layer 1 - Infrastructure (Edge): - Login endpoints: 10 requests/minute per IP - Public endpoints: 30 requests/minute per IP - Burst allowance: Additional 5-10 requests for traffic spikes

Layer 2 - Application: - Login endpoints: 5 requests/minute per email/IP (configurable) - Global endpoints: 60 requests/minute per IP (configurable) - Sliding window algorithm: Gradual reset (not hard cutoff)

Customer Benefit: - 🔒 Protection against brute-force attacks - 🔒 Defense against DoS/DDoS attacks - 🔒 Fair resource allocation across tenants

Rate Limit Headers (included in all responses):

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 42
X-RateLimit-Reset: 1640000000

Error Response (429 Too Many Requests):

{
  "error": "RATE_001",
  "message": "Rate limit exceeded. Try again in 60 seconds.",
  "retryAfter": 60,
  "limit": 60,
  "remaining": 0,
  "resetAt": "2025-12-26T10:16:30Z"
}

Best Practice: Implement exponential backoff in your application:

// Retry logic with exponential backoff
int retryCount = 0;
int backoffMs = 1000; // Start with 1 second

while (retryCount < 5) {
    try {
        response = client.encrypt(request);
        break; // Success
    } catch (RateLimitException e) {
        retryCount++;
        Thread.sleep(backoffMs);
        backoffMs *= 2; // Exponential: 1s, 2s, 4s, 8s, 16s
    }
}

See rate limiting details →

---

Additional Security Controls (Beyond OWASP Baseline)

1. Multi-Tenant Isolation

Implementation: - ✅ Separate keystore per tenant - ✅ Database-level tenant isolation - ✅ JWT claims include tenant ID validation - ✅ Cross-tenant data access prevented

Customer Benefit: Your cryptographic keys and data are logically isolated from other tenants.

---

2. Audit Logging

Implementation: - ✅ All API requests logged with correlation ID - ✅ Authentication events logged (success/failure) - ✅ Cryptographic operations logged (encrypt, decrypt, sign, verify) - ✅ Administrative actions logged (key rotation, user creation)

Log Format (Structured JSON):

{
  "timestamp": "2025-12-26T10:15:30.123Z",
  "correlationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "tenantId": "your-tenant-id",
  "userId": "[email protected]",
  "operation": "ENCRYPT",
  "keyId": "my-key-123",
  "algorithm": "ML-KEM-768",
  "status": "SUCCESS",
  "durationMs": 45
}

Customer Benefit: - 🔒 Complete audit trail for compliance (HIPAA, PCI-DSS, SOC 2) - 🔒 Correlation IDs trace requests across services - 🔒 Forensic investigation capability

---

3. Input Validation

Implementation: - ✅ Request body schema validation (JSON Schema) - ✅ Parameter type checking (string, integer, boolean) - ✅ Length limits enforced (max payload size: 5 MB for non-streaming) - ✅ Allowlist validation (algorithm names, key IDs)

Customer Benefit: Protection against injection attacks and malformed requests.

Error Response (400 Bad Request):

{
  "error": "VALIDATION_001",
  "message": "Invalid request body",
  "details": [
    {
      "field": "algorithm",
      "issue": "Must be one of: ML-KEM-512, ML-KEM-768, ML-KEM-1024",
      "received": "INVALID_ALGO"
    }
  ]
}

---

4. Encryption Everywhere

Implementation: - ✅ TLS 1.2/1.3 for all API communications - ✅ AES-256-GCM for data at rest (database) - ✅ HSM-backed keys (optional, for on-premise) - ✅ Post-quantum algorithms for cryptographic operations

Customer Benefit: Defense-in-depth with encryption at every layer.

---

OWASP API Security Top 10 (2023) Coverage

AnkaSecure addresses all OWASP API Security risks:

OWASP Risk	AnkaSecure Control	Status
API1:2023 - Broken Object Level Authorization	Multi-tenant isolation, JWT validation	✅ Mitigated
API2:2023 - Broken Authentication	JWT standard claims, API key validation	✅ Mitigated
API3:2023 - Broken Object Property Level Authorization	Input validation, schema enforcement	✅ Mitigated
API4:2023 - Unrestricted Resource Consumption	Rate limiting (dual-layer)	✅ Mitigated
API5:2023 - Broken Function Level Authorization	RBAC, least privilege	✅ Mitigated
API6:2023 - Unrestricted Access to Sensitive Business Flows	Rate limiting, anomaly detection	✅ Mitigated
API7:2023 - Server Side Request Forgery	No user-provided URLs, allowlist validation	✅ Mitigated
API8:2023 - Security Misconfiguration	Secure defaults, security headers	✅ Mitigated
API9:2023 - Improper Inventory Management	API versioning, deprecation policy	✅ Mitigated
API10:2023 - Unsafe Consumption of APIs	Third-party API validation	✅ Mitigated

---

Compliance Verification

How to Verify OWASP Compliance

1. Check Security Headers (any API endpoint):

curl -I https://api.ankasecure.com/api/v1/public/health

# Response headers:
# Cache-Control: no-store, no-cache, must-revalidate, private
# X-Frame-Options: DENY
# X-Content-Type-Options: nosniff
# Strict-Transport-Security: max-age=31536000; includeSubDomains
# Content-Security-Policy: frame-ancestors 'none'

2. Test JWT Validation (expired token):

curl https://api.ankasecure.com/api/v1/crypto/encrypt \
  -H "Authorization: Bearer EXPIRED_TOKEN" \
  -H "X-Tenant-ID: your-tenant-id"

# Expected: 401 Unauthorized
# {"error":"AUTH_001","message":"Token validation failed: token expired"}

3. Test HTTP Method Whitelisting (TRACE method):

curl -X TRACE https://api.ankasecure.com/api/v1/public/health

# Expected: 405 Method Not Allowed
# {"error":"HTTP_METHOD_001","message":"HTTP method TRACE is not allowed"}

4. Test Content-Type Validation (missing Content-Type):

curl -X POST https://api.ankasecure.com/api/v1/crypto/encrypt \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -d '{"keyId":"test"}'

# Expected: 415 Unsupported Media Type
# {"error":"CONTENT_TYPE_001","message":"Content-Type must be application/json"}

5. Test Rate Limiting (exceed limit):

# Send 61 requests in 60 seconds
for i in {1..61}; do
  curl https://api.ankasecure.com/api/v1/public/health
done

# Request 61: 429 Too Many Requests
# {"error":"RATE_001","message":"Rate limit exceeded. Try again in 60 seconds."}

---

Compliance Certification

Evidence Available: - ✅ OWASP REST API Security Cheat Sheet mapping - ✅ Third-party penetration test reports (on request) - ✅ Code audit results (on request) - ✅ Compliance matrix for SOC 2, ISO 27001 (on request)

Request Compliance Documentation: compliance@ankatech.co

---

Customer Responsibilities

AnkaSecure provides OWASP-compliant infrastructure, but customers must:

✅ DO: - Validate responses in your application (check HTTP status codes) - Implement retry logic with exponential backoff (respect rate limits) - Store API keys securely (environment variables, secret managers) - Rotate credentials regularly (API keys every 90 days) - Monitor audit logs for suspicious activity

❌ DON'T: - Disable certificate validation (never use curl -k in production) - Hardcode API keys in source code - Ignore 401/403 errors (authentication/authorization failures) - Retry indefinitely on 429 errors (respect Retry-After header)

---

Related Documentation

• Security Overview - Complete security posture
• Standards Alignment - NIST, FIPS, BSI compliance
• Regulatory Frameworks - HIPAA, PCI-DSS, GDPR
• API Error Reference - Complete error code catalog

---

Documentation Version: 3.0.0 Last Updated: 2025-12-26