API Security - Nexa Documentation

API Security

Keamanan API

Keamanan API adalah aspek kritis dalam pengembangan aplikasi. Dokumentasi ini mencakup praktik keamanan yang diimplementasikan dan rekomendasi untuk mengamankan API Anda.

Authentication

Bearer Token

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

API Key

X-API-Key: your_api_key_here

Implementasi:

class AuthMiddleware {
    public function handle($request) {
        $token = $request->getHeader('Authorization');
        if (!$token) {
            throw new UnauthorizedException('Token tidak ditemukan');
        }

        try {
            $this->validateToken($token);
        } catch (Exception $e) {
            throw new UnauthorizedException('Token tidak valid');
        }
    }
}

Authorization

class RoleMiddleware {
    public function handle($request, $role) {
        $user = $request->user();
        if (!$user->hasRole($role)) {
            throw new ForbiddenException('Akses ditolak');
        }
    }
}

Rate Limiting

class RateLimiter {
    public function handle($request) {
        $key = $this->getKey($request);
        $limit = 100; // requests
        $window = 3600; // seconds

        if ($this->isOverLimit($key, $limit, $window)) {
            throw new TooManyRequestsException();
        }
    }
}

Input Validation

class Validator {
    public function validate($data, $rules) {
        // Sanitasi input
        $data = $this->sanitize($data);

        // Validasi berdasarkan rules
        foreach ($rules as $field => $rule) {
            if (!$this->validateField($data[$field], $rule)) {
                throw new ValidationException("Invalid $field");
            }
        }
    }
}

CORS (Cross-Origin Resource Sharing)

// Konfigurasi CORS
header('Access-Control-Allow-Origin: https://trusted-domain.com');
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
header('Access-Control-Allow-Headers: Content-Type, Authorization');
header('Access-Control-Max-Age: 86400');

Best Practices Keamanan

  • Selalu gunakan HTTPS
  • Implementasikan autentikasi yang kuat
  • Validasi semua input
  • Terapkan rate limiting
  • Gunakan CORS dengan bijak
  • Log semua aktivitas keamanan
  • Update dependencies secara regular
  • Enkripsi data sensitif
  • Implementasikan timeout session
  • Gunakan prepared statements untuk query database

Contoh Implementasi Keamanan

Secure Controller

class SecureApiController extends ApiController {
    public function __construct() {
        // Middleware
        $this->middleware('auth');
        $this->middleware('throttle:60,1');
        $this->middleware('role:admin');
    }

    protected function secureEndpoint() {
        // Validasi input
        $this->validate($request, [
            'email' => 'required|email',
            'password' => 'required|min:8'
        ]);

        // Sanitasi data
        $data = $this->sanitizeInput($request->all());

        // Proses dengan data yang aman
        return $this->process($data);
    }
}

Security Headers

// Recommended Security Headers
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
header('Content-Security-Policy: default-src \'self\'');