From dfc2d39427eea6a100b5bc0bc2fd02bb55bb0087 Mon Sep 17 00:00:00 2001
From: Kamran Ahmed <kamranahmed.se@gmail.com>
Date: Tue, 21 Feb 2023 15:48:03 +0000
Subject: [PATCH] Add content to API security best practices

---
 .../api-security/content/directory-listings.md         |  8 +++++++-
 .../api-security/content/oauth-redirect-ui.md          | 10 +++++++++-
 .../api-security/content/restrict-private-apis.md      |  7 ++++++-
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/data/best-practices/api-security/content/directory-listings.md b/src/data/best-practices/api-security/content/directory-listings.md
index 474c1b797..e9e41bec5 100644
--- a/src/data/best-practices/api-security/content/directory-listings.md
+++ b/src/data/best-practices/api-security/content/directory-listings.md
@@ -1 +1,7 @@
-# Directory listings
\ No newline at end of file
+# Directory Listings
+
+> Turn off directory listings
+
+Directory listings are a feature of web servers that allow users to view the contents of a directory on a server. By default, web servers often have directory listings enabled, which means that anyone who has access to the server can see all the files and directories in a given folder.
+
+Turning off directory listings is important for API security because it prevents attackers from gaining access to sensitive files and directories on the server. If directory listings are enabled and an attacker gains access to the server, they can easily view and download any files that are not properly protected. By disabling directory listings, you can ensure that only authorized users can access the files and directories on the server.
\ No newline at end of file
diff --git a/src/data/best-practices/api-security/content/oauth-redirect-ui.md b/src/data/best-practices/api-security/content/oauth-redirect-ui.md
index 59524b51d..9e35ea303 100644
--- a/src/data/best-practices/api-security/content/oauth-redirect-ui.md
+++ b/src/data/best-practices/api-security/content/oauth-redirect-ui.md
@@ -1 +1,9 @@
-# Oauth redirect ui
\ No newline at end of file
+# redirect_uri
+
+> Validate `redirect_uri’ on server-side to prevent open redirect attacks.
+
+In OAuth, `redirect_uri` is a parameter that specifies the URI (Uniform Resource Identifier) that the authorization server should redirect the user to after authentication is complete. The `redirect_uri` is often used in the OAuth flow to return an authorization code or access token to the client application.
+
+It is important to validate the `redirect_uri` on the server-side to prevent attacks such as open redirection attacks. In an open redirection attack, an attacker can modify the `redirect_uri` parameter to redirect the user to a malicious website. By validating the `redirect_uri` on the server-side, you can ensure that the redirect URI is a valid and authorized URI for the client application.
+
+Validating the `redirect_uri` on the server-side can also prevent other types of attacks such as phishing attacks or cross-site request forgery (CSRF) attacks. By verifying that the `redirect_uri` matches a predefined list of authorized URIs, you can ensure that the user is redirected to a trusted site after authentication is complete.
\ No newline at end of file
diff --git a/src/data/best-practices/api-security/content/restrict-private-apis.md b/src/data/best-practices/api-security/content/restrict-private-apis.md
index 43e213abf..ada767013 100644
--- a/src/data/best-practices/api-security/content/restrict-private-apis.md
+++ b/src/data/best-practices/api-security/content/restrict-private-apis.md
@@ -1 +1,6 @@
-# Restrict private apis
\ No newline at end of file
+# Restrict Private APIs
+
+> Private APIs should only be accessible from safe listed IPs
+
+Private APIs should only be accessible from safe-listed IPs to ensure that only authorized users or systems can access the API. By restricting access to specific IP addresses, you can prevent unauthorized access from external networks or malicious actors. This can help to protect sensitive data and prevent attacks such as DDoS or brute-force attacks. Additionally, restricting access to safe-listed IPs can help to ensure the reliability and performance of the API by preventing excessive traffic from unauthorized sources.
+