Securing Your Strapi API: A Comprehensive Guide
Strapi provides a powerful headless CMS with built-in API capabilities, but with great power comes great responsibility. This guide walks through essential security measures to protect your Strapi application and its APIs in production environments.
Understanding Strapi’s Security Model
Strapi incorporates several security mechanisms out of the box:
- Role-Based Access Control (RBAC) - Managed through the Admin UI
- JWT Authentication - For user authentication
- API Tokens - For service-to-service communication
- Permission System - Fine-grained control over endpoints
Even with these features, proper configuration is vital to maintain a secure application.
Step 1: Securing the Admin Panel
The admin panel is your primary management interface and requires special attention:
Custom Admin URL
Change the default /admin path in config/server.js:
module.exports = ({ env }) => ({
host: env('HOST', '0.0.0.0'),
port: env.int('PORT', 1337),
admin: {
url: env('ADMIN_URL', '/dashboard'),
auth: {
secret: env('ADMIN_JWT_SECRET'),
},
},
});
Strong Authentication Policies
Enhance admin login security in config/admin.js:
module.exports = ({ env }) => ({
auth: {
// Require stronger passwords
passwordPolicy: {
minLength: 12,
requireNumbers: true,
requireSymbols: true,
requireUppercase: true,
requireLowercase: true,
},
// Add login throttling to prevent brute force
loginThrottling: {
enabled: true,
maxAttempts: 5, // Block after 5 failed attempts
periodMs: 60 * 1000, // Within a 1 minute window
banDurationMs: 15 * 60 * 1000, // Ban for 15 minutes
},
},
// Customize session duration
apiToken: {
expiresIn: '7d',
},
});
Two-Factor Authentication (2FA)
As of Strapi v4, you can enable 2FA for admin users:
- Go to Settings → Security → Two-factor Authentication
- Enable the feature
- Each admin user can then configure 2FA in their profile settings
Step 2: Securing Content API Access
Configuring Proper Permissions
Strapi's permission system allows fine-grained control over API endpoints:
- Navigate to Settings → Users & Permissions Plugin → Roles
- Select each role (Authenticated, Public) and carefully configure permissions
- Only grant necessary access - avoid allowing "find" or "update" permissions on sensitive collections for Public roles
Example: Implementing a Properly Secured Blog API
// In your Roles & Permissions settings:
// Public Role:
// - Article: find, findOne (read-only access to published articles)
// - Category: find, findOne (read-only access to categories)
// Authenticated Role:
// - Article: find, findOne, create (users can create but not edit/delete)
// - Comment: find, findOne, create, update, delete (full control over their own comments)
Content API Tokens
For server-to-server communication, use API tokens instead of user credentials:
- Go to Settings → API Tokens
- Create a new token with appropriate permissions and expiration
- Use it in API requests:
curl http://localhost:1337/api/articles \
-H "Authorization: Bearer your-api-token"
Different token types offer varying security levels:
- Read-only: Safest option for data consumption
- Full-access: Reserved for trusted services that need write access
- Custom: Tailor permissions to specific needs
Step 3: Implementing JWT Authentication Configuration
Secure your JWT implementation in config/plugins.js:
module.exports = ({ env }) => ({
'users-permissions': {
config: {
jwt: {
expiresIn: '1d', // Short-lived tokens
secret: env('JWT_SECRET'),
},
// Advanced options:
jwtOptions: {
audience: env('JWT_AUDIENCE', 'your-app-domain'),
issuer: env('JWT_ISSUER', 'strapi-api'),
}
},
},
});
For token refresh, implement a custom endpoint:
// Path: ./src/api/token/controllers/token.js
module.exports = {
async refresh(ctx) {
const { refresh_token } = ctx.request.body;
try {
// Validate the refresh token
const decoded = strapi.plugins['users-permissions'].services.jwt.verify(refresh_token);
// Generate a new access token
const newToken = strapi.plugins['users-permissions'].services.jwt.issue({
id: decoded.id,
});
// Return the new access token
ctx.send({
jwt: newToken,
});
} catch (err) {
ctx.unauthorized('Invalid refresh token');
}
},
};
Step 4: Implementing Rate Limiting
Protect your API from abuse with rate limiting in config/middleware.js:
module.exports = ({ env }) => ({
settings: {
cors: {
// Configure CORS carefully
origin: env.array('CORS_ORIGIN', ['https://yourapplication.com']),
},
rateLimit: {
enabled: true,
interval: 60 * 1000, // 1 minute
max: 100, // limit each IP to 100 requests per interval
delayMs: 0,
headers: true,
// Configure different limits for specific routes
routes: [
{
path: '/api/auth/local', // login endpoint
interval: 60 * 1000,
max: 10, // stricter limit for authentication attempts
},
{
path: '/api/users-permissions/users', // user registration
interval: 60 * 1000,
max: 5,
}
],
},
},
});
Step 5: Enabling and Configuring Security Headers
Add security headers to protect against common web vulnerabilities:
// config/middleware.js
module.exports = ({ env }) => ({
load: {
before: ['responseTime', 'logger', 'cors', 'responses', 'security-headers'],
},
settings: {
'security-headers': {
enabled: true,
contentSecurityPolicy: {
useDefaults: true,
directives: {
'connect-src': ["'self'", 'https:'],
'img-src': ["'self'", 'data:', 'blob:', 'https://yourimagecdn.com'],
'default-src': ["'self'"],
upgradeInsecureRequests: null,
},
},
frameguard: {
action: 'deny', // Prevent site from being embedded in iframes
},
hsts: {
maxAge: 31536000, // 1 year in seconds
includeSubDomains: true,
preload: true,
},
xss: {
enabled: true,
mode: 'block',
},
nosniff: {
enabled: true,
},
},
},
});
To add the missing middleware, create a custom security headers middleware:
// ./src/middlewares/security-headers.js
module.exports = (config, { strapi }) => {
return async (ctx, next) => {
ctx.set('X-Frame-Options', 'DENY');
ctx.set('X-Content-Type-Options', 'nosniff');
ctx.set('X-XSS-Protection', '1; mode=block');
ctx.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
if (config.contentSecurityPolicy.enabled) {
// Set CSP headers
const csp = constructCSPHeader(config.contentSecurityPolicy);
ctx.set('Content-Security-Policy', csp);
}
await next();
};
};
function constructCSPHeader(cspConfig) {
// Implementation to build the CSP header string from config
// ...
}
Step 6: Data Validation and Sanitization
Ensure all inputs are properly validated to prevent injection attacks:
Custom Validations for Content Types
// ./src/api/article/content-types/article/schema.json
{
"kind": "collectionType",
"attributes": {
"title": {
"type": "string",
"required": true,
"unique": true,
"minLength": 5,
"maxLength": 100
},
"content": {
"type": "richtext",
"required": true,
"minLength": 50
},
"slug": {
"type": "uid",
"targetField": "title"
}
}
}
Custom Validators for Specific Logic
// ./src/api/article/controllers/article.js
module.exports = {
async create(ctx) {
const { data } = ctx.request.body;
// Custom validation
if (data.title && data.title.includes('forbidden-word')) {
return ctx.badRequest('Title contains forbidden words');
}
// Create the entry
const entity = await strapi.entityService.create('api::article.article', {
data: data,
user: ctx.state.user
});
return entity;
}
};
Step 7: Setting Up Audit Logging
Monitor API usage and detect suspicious activities:
// ./src/middlewares/audit-logger.js
module.exports = () => {
return async (ctx, next) => {
const startTime = Date.now();
try {
// Process request
await next();
// Log successful requests
const duration = Date.now() - startTime;
logRequest(ctx, duration, null);
} catch (error) {
// Log failed requests
const duration = Date.now() - startTime;
logRequest(ctx, duration, error);
throw error;
}
};
};
function logRequest(ctx, duration, error) {
const { method, url, ip } = ctx.request;
const statusCode = ctx.response.status;
const user = ctx.state.user ? ctx.state.user.id : 'anonymous';
const logData = {
timestamp: new Date().toISOString(),
method,
url,
statusCode,
duration,
ip,
user,
userAgent: ctx.request.headers['user-agent'],
error: error ? {
message: error.message,
stack: process.env.NODE_ENV === 'development' ? error.stack : undefined
} : null
};
// In production, you might want to use a dedicated logging service
if (process.env.NODE_ENV === 'production') {
// Example: Send to external logging service
// sendToLoggingService(logData);
}
// Still log locally
console.log(JSON.stringify(logData));
}
Add this middleware in config/middleware.js:
module.exports = ({ env }) => ({
load: {
before: ['responseTime', 'logger', 'cors', 'responses', 'audit-logger'],
},
});
Step 8: Implementing Data Encryption
Protect sensitive data with encryption:
Environment Variables for Encryption Keys
# .env
ENCRYPTION_KEY=your-32-char-encryption-key
Service for Handling Encryption/Decryption
// ./src/services/encryption.js
const crypto = require('crypto');
module.exports = {
encrypt(text) {
const iv = crypto.randomBytes(16);
const key = Buffer.from(process.env.ENCRYPTION_KEY, 'utf-8');
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
let encrypted = cipher.update(text, 'utf8', 'hex');
encrypted += cipher.final('hex');
return `${iv.toString('hex')}:${encrypted}`;
},
decrypt(text) {
const [ivHex, encryptedHex] = text.split(':');
const iv = Buffer.from(ivHex, 'hex');
const key = Buffer.from(process.env.ENCRYPTION_KEY, 'utf-8');
const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
let decrypted = decipher.update(encryptedHex, 'hex', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
},
};
Lifecycle Hooks to Handle Sensitive Fields
// ./src/api/user-profile/content-types/user-profile/lifecycles.js
module.exports = {
beforeCreate(event) {
const { data } = event.params;
if (data.creditCardNumber) {
data.creditCardNumber = strapi.service('api::encryption.encryption').encrypt(data.creditCardNumber);
}
},
beforeUpdate(event) {
const { data } = event.params;
if (data.creditCardNumber) {
data.creditCardNumber = strapi.service('api::encryption.encryption').encrypt(data.creditCardNumber);
}
},
afterFindOne(event) {
const { result } = event;
if (result && result.creditCardNumber) {
result.creditCardNumber = strapi.service('api::encryption.encryption').decrypt(result.creditCardNumber);
}
},
afterFind(event) {
const { result } = event;
if (result) {
for (const item of result) {
if (item.creditCardNumber) {
item.creditCardNumber = strapi.service('api::encryption.encryption').decrypt(item.creditCardNumber);
}
}
}
},
};
Step 9: Implementing Web Application Firewall (WAF) Rules
For production deployments, configure WAF rules:
Example with AWS WAF and CloudFront
{
"Name": "StrapiApiProtection",
"Rules": [
{
"Name": "BlockSQLInjection",
"Priority": 1,
"Action": { "Block": {} },
"Statement": {
"SqliMatchStatement": {
"FieldToMatch": { "Body": {} },
"SensitivityLevel": "HIGH"
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "BlockSQLInjection"
}
},
{
"Name": "RateLimitAdminEndpoints",
"Priority": 2,
"Action": { "Block": {} },
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "IP",
"ScopeDownStatement": {
"ByteMatchStatement": {
"FieldToMatch": { "UriPath": {} },
"PositionalConstraint": "STARTS_WITH",
"SearchString": "/admin",
"TextTransformations": [
{ "Priority": 0, "Type": "NONE" }
]
}
}
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "RateLimitAdminEndpoints"
}
}
]
}
Step 10: Routine Security Maintenance
Set up a security maintenance routine:
Dependency Updates
Regularly update Strapi and its dependencies:
# Check for outdated packages
npm outdated
# Update to latest safe versions
npm update
# Update Strapi itself (after checking compatibility)
npm install @strapi/strapi@latest
Security Scanning
Integrate automated vulnerability scanning into your CI/CD pipeline:
# .github/workflows/security-scan.yml
name: Security Scan
on:
push:
branches: [ main ]
schedule:
- cron: '0 0 * * 0' # Weekly scan
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Run OWASP Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'Strapi API'
path: '.'
format: 'HTML'
out: 'reports'
args: >
--suppression suppression.xml
- name: Upload test results
uses: actions/upload-artifact@v3
with:
name: dependency-check-report
path: reports
Conclusion
Securing a Strapi API is a multi-layered effort that combines proper configuration, careful permission management, and ongoing maintenance. By implementing the security measures outlined in this guide, you can significantly reduce the risk of unauthorized access and data breaches in your Strapi applications.
Remember that security is never "done" - it's an ongoing process that should be regularly reviewed and updated as new threats emerge and as your application evolves. Regular security audits, penetration testing, and staying informed about Strapi security updates are crucial components of a comprehensive security strategy.
With careful attention to these security practices, your Strapi API can remain robust and protected against most common attack vectors, giving you the peace of mind to focus on delivering value through your content and services.