Member-only story
Fixing OWASP API10:2023 — Unsafe Consumption of APIs in Symfony 7
Never trust the availability, data, or security of APIs you don’t control
Introduction
Modern applications rarely live in isolation. Your Symfony 7 API likely needs to interact with other APIs — perhaps fetching product data from a supplier, getting weather information, or integrating with a payment gateway.
But how much should you trust the data and behaviour of these external services? This leads us to API10:2023 — Unsafe Consumption of APIs, the final entry in the OWASP API Security Top 10.
This vulnerability occurs when your application interacts with external APIs (third-party or even internal microservices) without proper validation, error handling, or security considerations, potentially leading to data corruption, application crashes, or information disclosure in your system.
This step-by-step guide will demonstrate:
- Building a simple Symfony 7 JSON API that consumes data from another (simulated) API but does so unsafely.
- Understanding the risks of unsafe API consumption.
- Implementing fixes like response validation and robust error handling using Symfony’s
HttpClient.
