- Use base-level encryption to allow functionality to operate as expected but obscure relationships between data to defend against reverse engineering.
- To defend against spoofing you can encrypt all traffic in transit. This will ensure that what is captured is only “noise”. Another option is to set up a pre-configured server certificate that is trusted by the API and allowing a handshake to go through only if when the certificate passes. You could also try a two-factor authentication to prevent attacks from the user perspective.
- Ensure proper session management. Be sure that sessions are invalidated once users get past an idle timeout period or if the user logs out. You should set the session lifespan to terminate at a certain point.
- Enforce API level security by using opt-in heuristic systems to know when a user is coming from an unknown machine, unknown location, or if there is any other variation in a known behavior.
Full post here, 11 mins read