How to Use tcpdump to Capture and Analyze Network Traffic

IPv6 has long since stopped being “the future of the Internet”—it is a fully functional standard that is being implemented by ISPs, hosting providers, mobile operators, and service developers. However, it will not work automatically: even if your provider assigns a prefix, without configuring the IPv6 network and DNS servers, connections may fail, websites may not load, and devices may remain inaccessible. This guide will help you configure IPv6 on a computer, server, or router from scratch, up to verifying functionality. We will cover how to set up IPv6 in Windows and Linux, what needs to be enabled in your router’s control panel, how to check whether IPv6 is actually working, and what issues you may encounter along the way. Everything is explained step by step, without unnecessary theory, with commands and examples. Checking IPv6 Support  Before configuring IPv6, you need to make sure it is available. Even in 2025, many networks—especially home and office networks—still run on IPv4 only, simply because no one has enabled support for the new protocol. We can say that a device has IPv6 configured if: The device has a global IPv6 address (starting with 2xxx: or 3xxx:) It has an IPv6 gateway and configured DNS servers It can access websites that are available only via IPv6 (for example, http://[2606:4700:4700::1111]) It successfully passes a test on test-ipv6.com Now, let’s see how to check if a machine has an IPv6 address. Linux Open the terminal and run: ip -6 addr If the output shows addresses like inet6 2xxx:... scope global, everything is fine. If it shows only fe80:... scope link, then you only have a local address and cannot reach the Internet. Example output of ip -6 addr in Linux when an IPv6 address is assigned and recognized Even if the machine has an IPv6 address, websites will not load without IPv6 DNS servers—the browser will not be able to resolve domain names into IPs. Therefore, immediately after checking the address, it makes sense to check which DNS servers are configured and whether they work over the new protocol. Check DNS with: resolvectl status Example output of resolvectl status in Linux when DNS servers are configured When both the IPv6 address and DNS servers appear correct, it does not yet mean that the connection is working. To ensure that the machine can actually send and receive traffic over IPv6, use ping6: ping6 google.com If the connection succeeds, then DNS works, the address is assigned, and the route to the Internet exists. If the response is “Name or service not known”, then DNS likely does not work. If “Network is unreachable”, then there is no route to the network, possibly because the gateway is not set. Note: having a global IPv6 address and DNS servers does not guarantee that the connection will work. Sometimes the provider assigns an address but does not provide a gateway—the system may think everything is connected, but Internet access will not be possible. Therefore, ping6 is a mandatory step. It helps determine whether traffic is actually flowing over IPv6. Example output of ping6 google.com in Linux when packets reach the recipient Windows Open the command prompt (cmd). Press Win + R, type cmd, and hit Enter. Then run: ipconfig Find the active network interface, e.g., Ethernet or Wi-Fi. Look for lines like: IPv6 Address. . . . . . . . . . . : 2600:1901:0:1234::100 Default Gateway . . . . . . . . . : 2600:1901:0:1234::1 If the IPv6 address starts with 2xxx: or 3xxx:, this is a global address, meaning IPv6 is already working. If you see only fe80:..., this is local IPv6, it works only within the network. It cannot reach the Internet. If there is no address at all, IPv6 is disabled or not configured. Example output of ipconfig in Windows when an IPv6 address is assigned and recognized Next, check whether DNS works over IPv6. In the same command prompt, enter: nslookup -type=AAAA google.com The response should include lines like: Name:    google.com Addresses:  2a00:1450:4010:c05::65             2a00:1450:4010:c05::71             2a00:1450:4010:c05::66             2a00:1450:4010:c05::64 If there is an address like 2a00:..., DNS is returning AAAA records and IPv6 support is working. If you see “Non-existent domain” or “can't find”, DNS does not return IPv6 addresses, and manual DNS configuration may be required. Example output of nslookup -type=AAAA google.com in Linux when DNS servers are configured Now check the IPv6 connection: ping -6 google.com If the response is Reply from 2a00:1450:400e:80f::200e: time=xxms, everything works: IPv6 is connected, DNS responds, routing is configured. If “Destination unreachable” or “General failure” appears: The address or gateway is configured incorrectly; The firewall is blocking ICMPv6; The provider assigned an address but did not provide a route. Example output of ping -6 google.com in Windows when packets reach the recipient What the Check Results Mean If you have a global IPv6 address (starting with 2xxx: or 3xxx:), DNS returns AAAA records, and ping -6 or ping6 succeeds to google.com, IPv6 is already working, and no further configuration is needed. If ipconfig or ip -6 addr shows only addresses like fe80:, DNS does not respond to AAAA queries, ping -6 returns “Destination unreachable” or “General failure”, or there are no IPv6 addresses in the system at all. It means that IPv6 is either not configured or completely disabled. In that case, proceed to the next section. We will cover how to enable and correctly configure IPv6 on a computer, server, or router. Preparation for Configuring IPv6 IPv6 can operate in fully automatic mode or require manual input of address, gateway, and DNS. It depends on the specific network, router, or server. If your provider or hosting has already configured everything for you—great. But if you see only local addresses (fe80:) and ping -6 fails, manual IPv6 configuration will likely be required. The first thing you need is a global IPv6 address. It is provided by your ISP or listed in the VPS control panel. Such an address may look like, for example, 2600:1901:0:1234::100. Along with it, the prefix length—subnet mask—is usually specified. In practice, /64 is most commonly used, giving a huge number of possible addresses within the subnet. Sometimes /128 is issued—a single address without the ability to address other devices. This is common on virtual servers. The next element is the gateway. It is needed for traffic from your network to reach the Internet. Most often, it matches the first address in the subnet. For example, if your address is 2600:1901:0:1234::100, the gateway may be 2600:1901:0:1234::1. In Linux, it is specified in the gateway6 field, and in Windows, in the network adapter properties. IPv6 will not work without DNS. Even if the address and route are correct, the system will not be able to resolve domain names. During setup, you can use reliable public DNS servers that support IPv6. For example: Google: 2001:4860:4860::8888 Cloudflare: 2606:4700:4700::1111 Quad9: 2620:fe::fe You can specify them manually. Once you have the IPv6 address, gateway, and DNS, you can proceed to configuration. The following sections will explain in detail how to set up IPv6 on Windows, Linux, and a router. Configuring IPv6 on a Computer or Server To manually configure IPv6, you will need the IPv6 address itself. You can obtain it from your Internet provider or the company where you purchased your cloud server, if they support IPv6. At the moment, Hostman doesn’t provide IPv6 addresses for our cloud servers. Linux The method depends on your system: it could be NetworkManager (on desktops), Netplan (on Ubuntu Server), or systemd-networkd. Obtaining IPv6 Automatically via dhclient Before configuring IPv6 manually, try obtaining it automatically. Use the dhclient utility, which requests an address from the DHCPv6 server and applies it to the interface. Install dhclient if it is not already installed: sudo apt update sudo apt install isc-dhcp-client Request an IPv6 address: sudo dhclient -6 The command does not output results to the terminal, but if the request is successful, the interface will receive a global IPv6 address. You can check with: ip -6 addr ip -6 route ping -6 google.com If you only see a local address like fe80:, then automatic acquisition failed, and you will need to proceed with manual configuration. Manual Configuration via Netplan (Ubuntu) On server distributions of Ubuntu, Netplan is used for network configuration. To set IPv6 manually, open the configuration file, usually: sudo nano /etc/netplan/50-cloud-init.yaml Fill in the fields in the block with the values obtained in the section “Preparation for Configuring IPv6”: network:   version: 2   ethernets:     eth0:       dhcp4: true       dhcp6: false       addresses:         - <IPv6-address>/<subnet-prefix-length>       gateway6: <IPv6-gateway>       nameservers:         addresses:           - 2001:4860:4860::8888           - 2606:4700:4700::1111 Then apply the settings: sudo netplan apply Check the results: ip -6 addr ip -6 route ping6 google.com If everything is entered correctly, the address will appear, and traffic will flow over IPv6. Windows To configure the address in Windows: Press Win + R, type ncpa.cpl, and press Enter. The Network Connections window will open. Right-click the active connection (e.g., Ethernet) → Properties. Select Internet Protocol Version 6 (TCP/IPv6) and click Properties. Check Use the following IPv6 address and fill in the fields: IPv6 Address: enter your address (e.g., 2600:1901:0:1234::100) Subnet prefix length: Windows usually fills this automatically based on the IPv6 address Gateway: enter the value obtained in “Preparing to Configure IPv6” Below, check Use the following DNS server addresses and enter: 2001:4860:4860::8888 2606:4700:4700::1111 These are DNS servers provided by Google and Cloudflare. Click OK → OK to save the settings. Restart the computer or server for the changes to take effect. Configuring IPv6 on a Router If you connect to the Internet via a home router, its settings determine whether your devices will receive IPv6 addresses and be able to access the network using the new protocol. Fortunately, modern routers increasingly support IPv6 out of the box. However, it is not always enabled by default—you may need to configure it manually. Even if your provider supports IPv6, devices in the network cannot use it until the router starts receiving a global IPv6 address from the provider, distributing addresses to devices (via SLAAC or DHCPv6), and providing DNS and routes. Router interfaces vary, so the exact location of settings may differ. To find the necessary section, open the router’s web interface (usually http://192.168.0.1 or http://192.168.1.1) and look for a tab named IPv6, Internet, WAN, or Network. If you cannot find it, search online for your router model. Note: For some providers, IPv6 works only if specific connection parameters are specified (connection type, prefix length, gateway). It is best to check your personal account or technical support. Next: Select the connection type. If the provider offers IPv6 directly, choose Native IPv6 or DHCPv6. If IPv6 is tunneled via IPv4, choose 6to4, 6rd, or Tunnel (rarely needed). Enable IPv6 distribution within the local network. Options may be named: Enable SLAAC Enable DHCPv6 Server Assign IPv6 prefix to LAN It is recommended to enable SLAAC + RDNSS, automatic configuration of addresses and DNS without DHCP. Specify IPv6 DNS servers: Google: 2001:4860:4860::8888 Cloudflare: 2606:4700:4700::1111 Save and restart the router. Linux: Troubleshooting Common Issues Symptom Problem Solution ip -6 addr shows only fe80: The device did not receive a global IPv6 address Make sure DHCPv6/SLAAC is enabled. Ensure the provider supports IPv6. ping6 google.com → Network is unreachable No route (gateway) set for IPv6 Check for gateway6 in Netplan or set manually: ip -6 route add default via <gateway> dev eth0. ping6 google.com → Name or service not known DNS is not working over IPv6 Make sure working DNS servers are configured (e.g., Google/Cloudflare). Check with resolvectl status and cat /etc/resolv.conf. DNS server is set, but ping6 still fails DNS server is unreachable over IPv6 Test DNS connection: ping6 2606:4700:4700::1111. Try a different DNS server. IPv6 intermittently disappears SLAAC/DHCPv6 does not refresh addresses or addresses are reset Ensure dhcp6: true is set or SLAAC is enabled. Check logs: journalctl -u systemd-networkd or nmcli device show. After netplan apply, IPv6 doesn’t work Errors in Netplan configuration Check YAML syntax: indentation, spaces, correct IP. Run sudo netplan try or sudo netplan generate && sudo netplan apply. DNS still uses IPv4 systemd-resolved only uses IPv4 Make sure IPv6 DNS servers are listed under nameservers.addresses. Restart the service: sudo systemctl restart systemd-resolved. IPv6 address exists, but no access to websites Provider did not give an Internet route or ICMPv6 is blocked Check if a route is received (ip -6 route). Ensure ICMPv6 is not blocked by the firewall: open ICMPv6 in iptables or nftables. ip -6 route is empty The system did not receive a route via IPv6 Add manually: sudo ip -6 route add default via <gateway> dev <interface>. systemd-networkd ignores configuration Conflict with NetworkManager Disable NetworkManager on the server: sudo systemctl stop NetworkManager && sudo systemctl disable NetworkManager. Use only systemd-networkd. Windows: Troubleshooting Common Issues Symptom Problem Solution No IPv6 address in ipconfig (only fe80:) The system did not receive a global IPv6 address Check that IPv6 support is enabled in adapter properties. Ensure the router/provider assigns addresses. Configure IPv6 manually if needed. ping -6 google.com → Destination unreachable No route (gateway) Manually set the gateway in adapter properties. Ensure the gateway is in the same subnet as your IPv6 address. ping -6 or nslookup → Name or service not known DNS does not work over IPv6 Set reliable IPv6 DNS (Google, Cloudflare) manually in adapter properties. nslookup -type=AAAA google.com → can't find DNS does not return AAAA records (IPv6 addresses) The DNS server does not support IPv6 queries. Use another server, e.g., 2001:4860:4860::8888. Addresses exist, DNS works, but websites do not open ICMPv6 is blocked or firewall interferes with routes Ensure incoming and outgoing ICMPv6 traffic is allowed in Windows Firewall. Check the network profile (Home/Public). Connection is unstable, IPv6 disappears Conflicting settings or issues with DHCPv6/SLAAC Try switching to manual configuration. Disable and re-enable IPv6 in adapter properties. Internet still does not work after manual setup Incorrect address, prefix, or gateway Ensure the address and gateway are in the same subnet. Check the prefix length (usually /64). Network does not respond after changing settings Windows did not apply changes without restart Restart the computer. Sometimes the IPv6 stack requires a full reboot to apply new settings. No IPv6 configuration option in interface Disabled or corrupted in the system Make sure the IP Helper service is running. Open services.msc and check the service status. ping -6 works, but websites do not open in the browser Browser uses only IPv4 or DNS conflict Flush DNS cache: ipconfig /flushdns. Try another browser or reset network settings. Conclusion IPv6 has long ceased to be experimental; it is a fully functional standard, working with most ISPs, hosting providers, and modern operating systems. However, simply obtaining an address is not enough to actually use it. It is important to ensure that everything is configured: from routes and DNS to router support. In this guide, we have covered the entire process, from initial checks to manual configuration and troubleshooting. If you followed the steps carefully, your computer or server should now work reliably over IPv6, and websites should load even without IPv4. If it still doesn’t work, start with the basics: check whether a global address is visible, whether DNS works, and whether ping6 reaches Google. These are three key checkpoints to understand what might be wrong. IPv6 is not difficult if you follow the instructions. Once you configure it correctly, you will likely not need to revisit it for a long time.

Wireproxy is a WireGuard client that acts as a SOCKS5/HTTP proxy server or tunnel. It is particularly useful when you need to connect to certain websites through a WireGuard peer but do not want or cannot configure a new network interface for various reasons. In this article, we will cover how to create a SOCKS5 proxy using Wireproxy, as well as how to connect to it via the FoxyProxy extension for the Firefox browser. Main reasons why Wireproxy might be the preferred choice: Using WireGuard as a traffic proxy. No need for administrator privileges to modify WireGuard settings. Wireproxy provides full isolation from the device’s network interfaces, allowing it to be used without administrative configuration. Key Features of Wireproxy Static TCP routing for both client and server. SOCKS5/HTTP proxy support (currently only CONNECT is supported). Developers are working on additional features, including UDP support in SOCKS5 and static UDP routing. And if you’re looking for a reliable, high-performance, and budget-friendly solution for your workflows, Hostman has you covered with Linux VPS Hosting options, including Debian VPS, Ubuntu VPS, and VPS CentOS. Installing Wireproxy Wireproxy supports multiple operating systems, including Linux, macOS, and Windows. There are two main installation methods: Building the project from source using Go. Downloading a precompiled version for your platform. Building from source ensures the latest code, while a precompiled version offers stability and convenience. Installing the Precompiled Version (Windows) Go to the GitHub releases page and download the archive for your operating system. For Windows, download wireproxy_windows_amd64.tar.gz. Extract the archive and place wireproxy.exe in a convenient location, e.g., create a wireproxy folder on your desktop. Open the Windows Command Prompt or PowerShell and navigate to the folder using: cd Desktop\wireproxy Verify the utility works correctly: wireproxy.exe -v Building from Source Using Go (Linux) Prerequisites Ensure Go version 1.20 or higher is installed: go version If Go is not installed, use this Ubuntu 22.04 installation guide. Build process Clone the Wireproxy repository: git clone https://github.com/octeep/wireproxy cd wireproxy Run the build process: make After the build completes, verify: ./wireproxy -v Configuring Wireproxy After installing Wireproxy, the next step is configuring the utility. You need a WireGuard configuration file. You can create a new server and set up WireGuard manually, e.g., following this Hostman guide. Alternatively, use the Marketplace section when creating a server and select Wireguard-GUI. A typical WireGuard configuration file looks like this: [Interface] PrivateKey = [Your_Private_Key] Address = 10.0.0.2/32 DNS = 8.8.8.8 [Peer] PublicKey = [Server_Public_Key] Endpoint = [Server_IP:Port] AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 20 Place the WireGuard configuration file in the wireproxy folder you created earlier. In this example, the file is named wg.conf. Creating the Wireproxy Configuration In the wireproxy directory, create wp.conf for the SOCKS5 proxy configuration: WGConfig = ./wg.conf [Socks5] BindAddress = 127.0.0.1:25344 Username = hostman Password = hostman WGConfig specifies the path to your WireGuard config. BindAddress defines the local proxy address and port. Username and Password are optional login credentials for the proxy. Testing the Configuration Linux: ./wireproxy -c wp.conf -n Windows: wireproxy.exe -c wp.conf -n This checks that the configuration is correct without starting the proxy. Running Wireproxy Linux: ./wireproxy -c wp.conf Windows: wireproxy.exe -c wp.conf For background execution, use the -d flag: Linux: ./wireproxy -c wp.conf -d Windows: wireproxy.exe -c wp.conf -d Connecting to Wireproxy via Browser Extension To use Wireproxy in a browser, specialized proxy management extensions can be used. In this example, we will configure FoxyProxy in Firefox, though similar steps apply to other browsers, e.g., Chrome with Proxy SwitchyOmega. Installing and Configuring FoxyProxy in Firefox Install FoxyProxy from FoxyProxy for Firefox. Click the FoxyProxy icon and select Options to open settings. Click Add to create a new proxy configuration. Set Proxy Type to SOCKS5. Enter 127.0.0.1 as Proxy IP and 25344 as Port. If a username and password were set in Wireproxy, enter them in Username and Password. Click Save to store the configuration. Click the FoxyProxy icon again and select the newly created configuration to connect to the proxy. Visit any IP check service online to confirm that the IP address has changed. This verifies that your traffic is routed through Wireproxy. FoxyProxy supports patterns to apply proxy usage only to specific sites. Open the FoxyProxy menu and select Options. Click Patterns in your existing connection. Enable patterns by clicking the FoxyProxy icon and selecting Use Enable Proxies By Patterns and Order. After this, the proxy will only be used for websites specified in your patterns. Conclusion In this article, we covered the installation and configuration of Wireproxy, a tool for creating SOCKS5/HTTP proxies via WireGuard. Wireproxy’s standout feature is its ability to operate in user space, simplifying setup and usage, especially for users without administrative privileges. We also demonstrated integrating Wireproxy with browser extensions for convenient proxy management.

APIs are the bridges between programs in the modern internet. When you order a taxi, the app communicates with the server via an API. When you buy something online, the payment system checks your card through a banking API. These invisible connections handle billions of operations every day. However, an unsecured API is an open gateway for attackers. Real statistics show the scale of the problem: 99% of organizations reported at least one API-related incident in the past year. The total number of API attacks in Q3 2024 exceeded 271 million, which is 85% more than attacks on regular websites. Most companies provide unrestricted access to half of their APIs, often without realizing it. The good news is that 90% of attacks can be blocked with simple security measures. Most attackers rely on the assumption that the API is completely unprotected. Basic security strategies filter out attackers. From this guide, you will get five practical steps to secure an API that can be implemented within a week. No complex theory—only what really works in production. After reading, you will have a secure API capable of withstanding most attacks. Step One: Authentication Authentication answers a simple question: “Who is this?” Imagine an API as an office building with a security guard at the entrance. Without checking IDs, anyone can enter: employees, couriers, or thieves. Similarly, an API without authentication is available to anyone on the internet. Anyone can send a request and access your data. Why authentication is important: Protect confidential data: Your API likely handles information that should not be publicly accessible: user profiles, purchase history, medical records. Without authentication, this data becomes public. Track request sources: When something goes wrong, you need to know where the problem originated. Authentication ties each request to a specific client, making incident investigation and blocking attackers easier. API Keys — Simple and Reliable An API key works like an office pass. Each application is issued a unique card that must be presented for each entry. How it works: The server generates a random string of 32–64 characters. The key is issued to the client application once. The application sends the key with every request. The server verifies the key in the database. Pros: Easy to implement in a few hours Simple to block a specific key Good for internal integrations Cons: Database load for each verification Difficult to manage with thousands of clients Risk of key leakage from client code JWT Tokens — Modern Standard JWT (JSON Web Token) is like a passport with built-in protection against forgery. The token contains user information and does not require constant server verification. Token structure: Header — encryption algorithm Payload — user ID, role, permissions Signature — prevents tampering When to use: Microservices architecture High-load systems Mobile applications Pros: High performance—no database queries needed Token contains all necessary information Supported by all modern frameworks Cons: Difficult to revoke before expiration Compromise of the secret key is critical Token can become large if overloaded with data OAuth 2.0 — For External Integrations OAuth 2.0 solves the problem of secure access to someone else’s data without sharing passwords. It is like a power of attorney—you allow an application to act on your behalf within limited scopes. Participants: User — data owner Application — requests access Authorization server — verifies and issues permissions API — provides data according to the token Typical scenarios: “Sign in with Google” in mobile apps Posting to social media on behalf of a user Banking apps accessing account data How to Choose the Right Method Let’s look at the characteristics of each method: Criterion API Keys JWT Tokens OAuth 2.0 Complexity Low Medium High Setup Time 2 hours 8 hours 2 days For MVP Ideal Possible Overkill Number of Clients Up to 100 Thousands Any number External Integrations Limited Poor Ideal Stage Recommendations: Prototype (0–1,000 users): Start with API keys. They protect against accidental access and give time to understand usage patterns. Growth (1,000–100,000 users): Move to JWT tokens. They reduce database load and provide more flexibility. Scale (100,000+ users): Add OAuth 2.0 for integrations with major platforms. Start with API keys, even if you plan something more complex. A working simple security system is better than a planned perfect one. Transition to other methods gradually without breaking existing integrations. Remember: An API without authentication is a critical vulnerability that must be addressed first. Step Two: Authorization Authentication shows who the user is. Now you need to decide what they are allowed to do. Authorization is like an office access system: everyone has an entry card, but only IT can enter the server room, and accountants can access the document archive. Without proper authorization, authentication is meaningless. An attacker may gain legitimate access to the API but view other people’s data or perform prohibited operations. Role System Three basic roles for any API: Admin Full access to all functions User and settings management View system analytics and logs Critical operations: delete data, change configuration User Work only with own data Create and edit personal content Standard operations: profile, orders, files Access to publicly available information Guest View public information only Product catalogs, news, reference data No editing or creation operations Limited functionality without registration Grant users only the permissions critical for their tasks. When in doubt, deny. Adding permissions is easier than fixing abuse consequences. Additional roles as the system grows: Moderator — manage user content Manager — access analytics and reports Support — view user data for issue resolution Partner — limited access for external integrations Data Access Control It’s not enough to check the user’s role. You must ensure they can work only with the data they are allowed to. A user with the “User” role should edit only their posts, orders, and profile. Example access rules: Users can edit only their profile Orders are visible to the buyer, manager, and admin Financial reports are accessible only to management and accounting System logs are viewable only by administrators Access Rights Matrix: Resource Guest User Moderator Admin Public Content Read Read Read + Moderation Full Access Own Profile - Read + Write - Full Access Other Profiles - - Read Full Access System Settings - - - Full Access Critical operations require additional checks, even for admins: User deletion — confirmation via email Changing system settings — two-factor authentication Bulk operations — additional password or token Access to financial data — separate permissions and audit Common Authorization Mistakes Checking only on the frontend: JavaScript can be bypassed or modified. Attackers can send requests directly to the API, bypassing the interface. Always check permissions on the server. Overly broad access rights: “All users can edit all data” is a common early mistake. As the system grows, this leads to accidental changes and abuse. Start with strict restrictions. Forgotten test accounts: Test accounts often remain in production with elevated permissions. Regularly audit users and remove inactive accounts. Lack of change auditing: Who changed what and when in critical data? Without logging admin actions, incident investigation is impossible. Checking authorization only once: User permissions can change during a session. Employee dismissal, account blocking, or role changes should immediately reflect in API access. Mixing authentication and authorization: “If the user is logged in, they can do everything” is a dangerous logic. Authentication and authorization are separate steps; each can result in denial. Proper authorization balances security and usability. Too strict rules frustrate users; too lax rules create security holes. Start with simple roles, increase complexity as needed, but never skip permission checks. Step Three: HTTPS and Encryption Imagine sending an important letter through the mail. HTTP is like an open postcard that any mail carrier can read. HTTPS is a sealed envelope with a personal stamp that only the recipient can open. All data between the client and the API travels through dozens of intermediate servers on the internet. Without encryption, any of these servers can eavesdrop and steal confidential information. Why HTTP is Unsafe What an attacker can see when intercepting HTTP traffic: API keys and access tokens in plain text User passwords during login Credit card numbers and payment information Personal information: addresses, phone numbers, medical records Contents of messages and documents 19% of all successful cyberattacks are man-in-the-middle attacks, a significant portion of which involve open networks (usually HTTP) or incorrect encryption configuration. Public Wi-Fi networks, corporate networks with careless administrators, ISPs in countries with strict censorship, and rogue access points with names like “Free WiFi” are particularly vulnerable. Setting Up HTTPS Obtaining SSL Certificates An SSL certificate is a digital document that verifies the authenticity of your server. Without it, browsers display a warning about an insecure connection. Free options: Let’s Encrypt — issues certificates for 90 days with automatic renewal Cloudflare — free SSL for websites using their CDN Hosting providers — many include SSL in basic plans Paid SSL certificates are used where a particularly high level of trust is required, for example for large companies, financial and medical organizations, or when an Extended Validation (EV) certificate is needed to confirm the legal identity of the site owner. Enforcing HTTP to HTTPS Redirection Simply enabling HTTPS is not enough—you must prevent the use of HTTP. Configure automatic redirection of all requests to the secure version. Check configuration: Open your API in a browser. It should show a green padlock. Try the HTTP version. It should automatically redirect to HTTPS. Use SSL Labs test to verify configuration. Security Headers (HSTS) HTTP Strict Transport Security forces browsers to use HTTPS only for your domain. Add the header to all API responses: Strict-Transport-Security: max-age=31536000; includeSubDomains This means: “For the next year, communicate with us only via HTTPS, including all subdomains.” Additional Encryption HTTPS protects data in transit, but in the database it is stored in plain text. Critical information requires additional encryption. Must encrypt: User passwords — use bcrypt, not MD5 API keys — store hashes, not raw value Credit card numbers — if processing payments Medical data — per HIPAA or equivalent regulations Recommended encryption: Personal data: phone numbers, addresses, birth dates Confidential user documents Internal tokens and application secrets Critical system settings The hardest part of encryption is secure key storage. Encryption keys must not be stored alongside encrypted data. Rotate encryption keys periodically. If a key is compromised, all data encrypted with it becomes vulnerable. HTTPS is the minimum requirement for any API in 2025. Users do not trust unencrypted connections, search engines rank them lower, and laws in many countries explicitly require encryption of personal data. Step Four: Data Validation Users can send anything to your API: abc instead of a number, a script with malicious code instead of an email, or a 5 GB file instead of an avatar. Validation is quality control at the system’s entry point. Golden rule: Never trust incoming data. Even if the data comes from your own application, it may have been altered in transit or generated by a malicious program. Three Validation Rules Rule 1: Check Data Types Age must be a number, not a string. Email must be text, not an array. Dates must be in the correct format, not random characters. Rule 2: Limit Field Length Unlimited fields cause numerous problems. Attackers can overload the server with huge strings or fill the entire database with a single request. Rule 3: Validate Data Format Even if the data type is correct, the content may be invalid. An email without @ is not valid, and a phone number with letters cannot be called. Injection Protection SQL injection is one of the most dangerous attacks. An attacker inserts SQL commands into normal form fields. If your code directly inserts user input into SQL queries, the attacker can take control of the database. Example: A search field for users. A legitimate user enters “John,” but an attacker enters: '; DROP TABLE users; --. If the code directly inserts this into a query: SELECT * FROM users WHERE name = ''; DROP TABLE users; -- Result: the users table is deleted. Safe approach: Queries and data are sent separately. The database automatically escapes special characters. Malicious code becomes harmless text. File Validation Size limits: One large file can fill the server disk. Set reasonable limits for each operation. File type checking: Users may upload executable files with viruses or scripts. Allow only safe formats. Check more than the extension: Attackers can rename virus.exe to photo.jpg. Check the actual file type by content, not just by name. Quarantine files: Store uploaded files in separate storage with no execution rights. Scan with an antivirus before making them available to others. Data validation is your first line of defense against most attacks. Spending time on thorough input validation prevents 70% of security issues. Remember: it’s better to reject a legitimate request than to allow a malicious one. Step Five: Rate Limiting Rate Limiting is a system to control the request speed to your API. Like a subway turnstile letting people through one at a time, the rate limiter controls the flow of requests from each client. Without limits, a single user could overwhelm your server with thousands of requests per second, making the API unavailable to others. This is especially critical in the age of automated attacks and bots. Why Limit Request Rates DDoS protection: Distributed denial-of-service attacks occur when thousands of computers bombard your server simultaneously. Rate Limiting automatically blocks sources with abnormally high traffic. Prevent abuse: Not all attacks are malicious. A developer may accidentally run a script in an infinite loop. A buggy mobile app may send requests every millisecond. Rate Limiting protects against these incidents. Fair resource distribution: One user should not monopolize the API to the detriment of others. Limits ensure all clients have equal access. Cost control: Each request consumes CPU, memory, and database resources. Rate Limiting helps forecast load and plan capacity. Defining Limits Not all requests place the same load on the server. Simple reads are fast; report generation may take minutes. Light operations (100–1,000 requests/hour): Fetch user profile List items in catalog Check order status Ping and healthcheck endpoints Medium operations (10–100 requests/hour): Create a new post or comment Upload images Send notifications Search the database Heavy operations (1–10 requests/hour): Generate complex reports Bulk export of data External API calls Limits may vary depending on circumstances: more requests during daytime, fewer at night; weekends may have different limits; during overload, limits may temporarily decrease, etc. When a user reaches the limit, they must understand what is happening and what to do next. Good API response when limit is exceeded: HTTP Status: 429 Too Many Requests { "error": "rate_limit_exceeded", "message": "Request limit exceeded. Please try again in 60 seconds.", "current_limit": 1000, "requests_made": 1000, "reset_time": "2025-07-27T22:15:00Z", "retry_after": 60 } Bad response: HTTP Status: 500 Internal Server Error { "error": "Something went wrong" } Rate Limiting is not an obstacle for users but a protection of service quality. Properly configured limits are invisible to honest clients but effectively block abuse. Start with conservative limits and adjust based on actual usage statistics. Conclusion Securing an API is not a one-time task at launch but a continuous process that evolves with your project. Cyber threats evolve daily, but basic security strategies remain unchanged. 80% of attacks can be blocked with 20% of effort. These 20% are the basic measures from this guide: HTTPS, authentication, data validation, and rate limiting. Do not chase perfect protection until you have implemented the fundamentals.