Describe
5.3 Describe REST API security
Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.
On this page
REST APIs are part of modern network operations. ENCOR does not expect you to become an application security engineer, but you should know what makes an API call safe enough for network automation.
The core idea
A secure REST API session should answer these questions:
- Is this the real server? TLS certificate validation.
- Who is the client? Authentication.
- What is the client allowed to do? Authorization.
- Is the secret protected? Token and credential handling.
- Can the action be traced? Logging and accountability.
Automation script | v HTTPS + cert validation -> bad cert? STOP | v Auth (token/basic) -> 401? fix credentials | v API request -> 403? fix role/scope | v Parse JSON response -> 4xx/5xx? read error bodyMinimum safe pattern
Use HTTPS, validate certificates, authenticate, use least privilege, set timeouts, and handle errors.
import os
import requests
BASE_URL = "https://dnac.example.com"
TOKEN = os.environ["DNAC_TOKEN"]
headers = {
"Authorization": f"Bearer {TOKEN}",
"Accept": "application/json",
}
response = requests.get(
f"{BASE_URL}/dna/intent/api/v1/network-device",
headers=headers,
timeout=10,
)
response.raise_for_status()
for device in response.json().get("response", []):
print(device.get("hostname"), device.get("managementIpAddress"))Important choices:
- The token comes from an environment variable, not hard-coded source.
- HTTPS is used.
- Certificate verification is left enabled. Do not use
verify=Falsein real automation. - A timeout prevents the script from hanging forever.
raise_for_status()fails loudly on HTTP errors.
Curl example
curl -sS \
-H "Authorization: Bearer $DNAC_TOKEN" \
-H "Accept: application/json" \
https://dnac.example.com/dna/intent/api/v1/network-deviceFor RESTCONF in a lab, you may see basic authentication:
curl -sS \
-u "$RESTCONF_USER:$RESTCONF_PASSWORD" \
-H "Accept: application/yang-data+json" \
https://router1.example.com/restconf/data/ietf-interfaces:interfacesIn production, prefer role-scoped credentials or tokens, restrict source access, and protect secrets.
Authentication versus authorization
Authentication proves identity. Authorization controls permissions.
A script that can read inventory should not automatically be able to push device configuration. A token used for reporting should be read-only. A token used for change automation should be scoped, logged, rotated, and protected.
HTTP status codes you should recognize
| Code | Meaning for security/troubleshooting |
|---|---|
| 200/201/204 | Request succeeded. 204 means no response body. |
| 400 | Bad request; often malformed payload. |
| 401 | Not authenticated or bad/expired token. |
| 403 | Authenticated but not authorized. |
| 404 | Resource not found or not visible to this user. |
| 429 | Rate limited. Back off. |
| 500+ | Server-side problem or upstream failure. |
Lab
Goal: Make a safe authenticated API call.
Tasks:
- Store a token or password in an environment variable.
- Call a read-only API endpoint over HTTPS.
- Leave TLS verification enabled.
- Add a timeout.
- Print only non-sensitive fields.
- Test a bad token and observe
401or403. - Test a malformed URL or payload and observe the error handling.
Success criteria:
- No secrets appear in source code, shell history output, or logs.
- The script fails clearly on authentication/authorization errors.
- The script does not disable certificate verification.
- The API account has only the permission needed for the task.
Exam traps
- HTTPS without certificate validation is not enough.
- Authentication is not authorization.
- A token is a secret. Treat it like a password.
401and403are different: unauthenticated versus not allowed.- Hard-coding credentials in scripts is a security failure and an operations failure.