Runscope API Monitoring    Learn More →

Posts filtered by category: security

Best Practices for API Security: Avoiding Common Security Vulnerabilities

By Scott Fitzpatrick on .

It’s fairly easy to see that API security can be of the utmost importance when designing and implementing an interface that might be used by another entity over which you have no control. By allowing another organization to interact with your application directly, you are putting your data at risk.

Taking the appropriate security measures throughout the design process can ensure that your API is used properly by those you allow to interact with your application. Such measures include the utilization of an effective strategy to authenticate the application employing your API, taking steps to ensure that the client application is authorized to perform the actions they are attempting through your API, and bulletproofing against common API vulnerabilities such as XSS and SQL injection.

In this article, we’ll take a look at API security best practices and discuss strategies for securing APIs. […]

Read More →

Categories: apis, security

Keep Your Account Safe: Two-Factor Authentication with Google Authenticator

Keep Your Account Safe: Two-Factor Authentication with Google Authenticator

By Heitor Tashiro Sergent on .

Security is a top priority for us at Runscope. It's important for us to make sure that your data is always safe, and to also empower you with any tools that we can to allow you to protect your companies' data.

We added support for two-factor authentication back in July of 2015. Users could enable 2FA in their accounts via SMS, or by using the Authy app. But, we understand that sometimes users can have different apps that handle 2FA, such as Google Authenticator and other TOTP compliant apps that require a QR code.

So, last week we've added support for Google Authenticator and other apps as two-factor authentication options for Runscope users! [...]

Read More →

Categories: announcements, howto, security, product

Using Runscope to Test APIs Protected with the Hawk Authentication Scheme

By Gustavo Straube on .

We’re excited to have Gustavo Straube, Software Engineer and Co-founder at both Creative Duo and All Day Use, show the Runscope community how to test APIs that use alternative or custom authentication schemes.

Nowadays, employing authentication protocols with your APIs is a necessity, but dealing with them can be taxing. At Creative Duo, we usually build APIs to act as the backend for mobile apps and modular systems. In both cases, even when using TLS protocol to protect the data, we have to guarantee that only authorized requests get a valid response from any service. In the past, we used a home-grown solution to avoid unwanted access, but it wasn't reliable and writing a trusty security protocol has never have been our focus.

After trying some alternatives, we ended up choosing Hawk authentication scheme for its simplicity and ease of integration. It provides enough safety for our applications and their consumers. The primary design goals of Hawk are to:

  • Simplify and improve HTTP authentication for services that are unwilling or unable to deploy TLS for all resources
  • Secure credentials against leakage
  • Avoid the exposure of credentials sent to a malicious server over an unauthenticated secure channel due to client failure to validate the server's identity as part of its TLS handshake

As we started to configure the first test we found a little problem in our way: the API we were testing uses Hawk for authentication, and we only found options for Basic Authentication and OAuth 1.0.

Checking the available configurations, there was an option to add static headers. However, as a replay protection procedure, authentication headers in Hawk are valid for only one minute. With that in mind, the static header was not an option since we must update the header within one minute. Furthermore, automatic tests would be impossible to run.

Recently we discovered Runscope and its awesome features to monitor and test APIs. After a tweet exchange a few emails with Runscope team, we got a script to start with. Yes! It is possible to write scripts to run before (initial scripts) and after tests. The scripts should be written in Javascript, which is a great choice since a lot of developers know at least a bit of JS. Also, it's possible to use a few common libraries with scripts, like Moment.js and CryptoJS.

Creating the Authentication Header

Before creating the dynamically generated authentication headers, we must set up some variables we'll use in the script.

Now we can start to build the header itself. Hawk protocol is simple: it basically uses an HMAC hash, created with the request info, using a secret key.

Knowing the protocol basics, the following code becomes pretty obvious.

Step 1: Set up the request data into variables.

var now = parseInt(moment() / 1000);
var method = "GET";
var path = "/api/path/to/resource";
var host = "";
var port = 80;
var ext = null;
var nonce = Math.random().toString(36).substring(6);

Step 2: Create the normalized request string, with each value followed by a newline, as required by the protocol.

var artifacts = "hawk.1.header\n" + now + "\n" +
     nonce + "\n" +
     method + "\n" +
     path + "\n" +
     host + "\n" +
     port + "\n\n";
if (ext) {
     artifacts += ext;
artifacts += "\n";

Step 3: Create the hash using the HMAC function from CryptoJS.

var mac = CryptoJS.HmacSHA256(artifacts, variables.get("hawkSecret")).toString(CryptoJS.enc.Base64);

Step 4: Build the authorization header contents.

var header = "Hawk id=\"" + variables.get("hawkKey") + "\", ts=\"" + now +
"\", nonce=\"" + nonce + "\"";
if (ext) {
       header += ", ext=\""+ ext + "\"";
header += ", mac=\"" + mac + "\"";

Step 5: Set the header contents to a variable to use in the request configuration.

variables.set("hawkHeader", header);

Now that we have an authorization header, which changes according to the time, we can add it to our request, using the variable from the script.

Finally, we can run our test, check the response and add some assertions.

Initial scripts run before the request, so we cannot retrieve data from the request to use when creating the header. That is why we set all request parameters in the script (method, host, path, etc.). To avoid modifying the script for each different test configuration, we can create variables for all those settings which change between tests so that we can simply copy and paste the script when needed.

At Ease with API Testing & Auth Tools

Now that we've found an auth solution that works well for us, we're put even more at ease having a tool like Runscope in our arsenal to monitor and test the health all of those APIs. If you have any questions or comments about using Hawk protocol or testing APIs using authentication schemes, feel free to leave a comment below or tweet at me!

You can start testing APIs protected by an authentication protocol by signing up for Runscope for free. 

Categories: code samples, howto, product, monitoring, security, testing, community

We've Got You Covered: Introducing Two-Factor Authentication

By Ashley Waxman on .

At Runscope, security is our top priority. We value your data and always make sure that it’s safe, secure and available only to authorized users. That’s why we’re excited to announce that you can now enable two-factor authentication (2FA) in your Runscope account with Authy. This extra level of protection ensures that if an unauthorized person accesses your username and password, that person still won’t be able to log in to Runscope as you. With 2FA, you identify yourself in Runscope with both your password and a token retrieved from your mobile phone or other device.

Enabling 2FA is easy from your Runscope dashboard. Simply go into your profile, and the second listing is labeled Two-Factor Authentication. Select On and add your phone number. Once your phone number is verified through your device, you’re all set! Anytime you sign back in to your Runscope account, you’ll be prompted for an authentication token.

If you enable 2FA, you should install Authy on your phone or computer to generate access codes. If you don't have the app installed, we'll send an SMS to the mobile phone number specified.

We recommend enabling 2FA for your entire team. It’s fast, easy and you’ll have extra assurance that your data is protected and secure.

Categories: announcements, howto, product, security

OpenSSL "Heartbleed" Vulnerability Update

By John Sheehan on .

Information was released yesterday about a new vulnerability (CVE-2014-0160) related to OpenSSL, a cryptography library that is used for encrypting a large majority of the traffic across the Internet. An audit of our systems revealed that we were using an affected version of OpenSSL.

We immediately took steps to remedy the situation. As of 9:05pm PT on Monday April 7th all of our servers have been updated to the latest version of OpenSSL that includes a patch for the vulnerability. No service downtime was incurred during the update.

As an extra precaution we have also reissued our SSL certificates for *, * (and each region subdomain e.g. * and * The deployment of the updated certificates to servers in our customer-facing environment was completed as of 3:30pm PT on Tuesday April 8th.

It's highly unlikely that our systems were compromised before we deployed the patched OpenSSL version. However, we recommend taking some precautionary steps to protect yourself including signing out and back into your accountchanging your Runscope account password, and resetting any API tokens sent via Runscope URLs.

As an infrastructure provider, protecting your data is our top priority. We are monitoring the situation closely and will post updates on our Twitter account and service status page accordingly. If you have any questions about this incident, please contact our support team.

Categories: security

Jump start your app development with Runscope's OAuth 1.0a and OAuth 2 Token Generators

By John Sheehan on .


If there's one thing we consistently hear from developers it's that getting started with OAuth is too hard. There are a daunting number of concepts to understand: complex multi-legged authentication flows, different grant types, request signatures and a bevy of other things you don't care about when you're first building your app.

Generating Tokens with the Runscope OAuth Token Generators

We wanted to make it easy to bypass the server requirement most APIs require to get valid tokens for making requests. Some providers (like Twitter and do a great job of letting you generate tokens for your own account. For the rest, we present the Runscope OAuth Token Generators.

The token generators are available for both OAuth 1.0a and OAuth 2. To get started, create a new application with the API provider (we recommend creating an application just for this purpose) and make note of the client key and secret. Paste in the credentials, the API-specific URL endpoints for the auth flow and start the auth process. Token exchange requests made along the way will show up in your default bucket so you can see what was sent back and forth.

We have tested the generators with many popular services including: Facebook, Twitter, LinkedIn, Tumblr, GitHub,, Instagram, Google, Stripe, 37Signals, Box, Microsoft Live Connect, Stack Exchange, Wordpress, Foursquare, MailChimp and more. If you're using a service that requires an authentication flow and follows the standard, it will probably work. 

Get Started

To get started, sign up for your free Runscope account and head over to the token generator that uses the style of OAuth the API uses: 

→ Runscope OAuth 1.0a Token Generator

→ Runscope OAuth 2 Token Generator 

If you run into any issues or APIs that don't work, let us know

Categories: api ecosystem, testing, security

Everything is going to be 200 OK®