Featured post
security - Securing a RESTful API -
for current side project, modular web management system (which contain modules database management, cms, project management, resource management, time tracking, etc…), want expose entire system restful api think make system more usable. system going coded in asp.met mvc3 if make data/actions available through restful api, should make system easy use php, ruby, python, etc… (they make there own interface manage data if wanted).
however, 1 thing seems hard (from user's using restful api point of view) restful api security ajax functionality. if wanted complex setup , use, create soap services whole drive using restful api is easy. common way of securing restful api with key associated user. works fine when calls done on server side once start doing ajax functionality, changes. want restful api able called directly javascript firebug able access key user using allow person access system. there better way secure restful api not make user of restful api complex things set up?
for 1 thing, can't prevent user of api not expose key.
but, if writing client api, suggest using server side requests api, while html pages provide data user. if absolutely must use javascript make calls api , still have server side populates page in question, can obscure actual key via one-way digest algorithm in timestamp-dependant way, while generating page, , make api checks digest in time-dependant way too.
also, i'd suggest take oauth nonces , timestamps bit more deeply. twitter , other api providers have problem too, must doing nonce values.
- Get link
- X
- Other Apps
Comments
Post a Comment