2

I've been looking into ways of making my REST application a tad more secure. HTTP Basic authentication seems like a way, but with the need of shipping username+password between the client and the server on every request. Could work fine if I used curl, but with a Javascript file? Not so cool.

I've found and read about the Digest HTTP authentication lately which seems to be a big step up from the security HTTP Basic offers, although a lot more complicated to understand, which I still haven't to be completely honest.

I've looked at this question and it's answers to learn about the pro's and con's of using the Digest method, but it appears that the more I think about it, the messier it all gets.

There seems to be plenty of already available solutions out there to solve this issue, however most of them are now close to 10 years of age.

Is the Digest method a dinosour that should be best left alone in the dark for another, newer ways of securing requests, or are there any good already-existing Digest libraries available?

Improve this question

2 Answers 2

Reset to default
1

Have you thought of using HTTPS? All you really need is a signed security certificate for the domain and to check in your code to make sure it connects that way. It will use SSL that way and the server and browser will automatically take care of encrypting the data sent back and forth and will use a three-way handshake for all communication.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You could look into different authentication techniques used by popular APIs like Facebook and Twitter which use the OAuth method for authentication.

Other APIs like Google Maps (v2) and Bitly let you access their API with an API key in the URL. So each user has an API key to use in the request like http://api.domain.com/get?key=supersecureapikey

Both methods are excellent and are widely used throughout the web, only accessing APIs directly from javascript will expose API keys/passwords. One option (the option I use) to get around this is to have the javascript call a file on your server which performs the API call on the server side, thus keeping keys/passwords [more] secure.

Improve this answer

3 Comments

@pthurmond I can't comment on your answer, but SSL is not a method of authentication. It simply encrypts the data transfer between the two servers. This would still leave the API open to the public and doesn't solve anything. You should only use SSL for a rest API if you are transferring sensitive data (you should probably look into SOAP for this) or requests from a secure page (so the browser doesn't kick up a fuss about non-secure data)
Ok, point taken. You still need a login/authentication system. That said, if they use a framework of some sort this could be at least partially taken care of. I guess my focus was more on the security side. And seeing as how he already has an HTTP authentication system (unless I am misunderstanding him) all he would have to do to add security is change it into a secure http system (https) using a certificate and some quick url checking.
@adlawson: Thanks for your reply. Do you mind showing some psuedo code on how your solution is designed?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.