i set up a REST API based on this tutorial https://www.codeofaninja.com/2017/02/create-simple-rest-api-in-php.html
what i want to do is to provide some sort of security to it. for example to access the ..../read.php address like this .../read.php+{some long key}
they key should be stored on sever and on my side to ensure some kind of match. i know it's not the most secure method but i plan to use this API for an Android app and don't want to complicate things as i'm fairly new to this.
do you have nay suggestions ?
Related
In a restful API, POST should be used to create, and GET should be used to read.
Sometimes, for security reasons, you can't pass sensitive variables in the URI. For example, if you have an /accounts API that requires you to pass "accountNumber". If your security team won't let you put that in the URI, then you have to use the POST method instead of the GET method to service the "read" operation, and you can then provide the account number in the request body.
That brings me to my question: If you've used up the POST method to service a read operation, how do you service the "create" operation of the same API?
"/accounts/create" wouldn't be advised because your APIs should be nouns, not verbs. It doesn't seem right to use up a different HTTP method like PUT. This issue has to come up a lot so I'm curious what people are doing to get around it?
If you're using POST for this, you are not building a RESTful service. The way I see this, you have 2 options:
Accept this, and build a more RPC-like system.
Change the id's in your application so that they are not a security risk. If knowing an id is a problem, consider using something else.
I am building a basic app using node.js and mysql and just getting a hang of it, I would like to secure the api,like only allow certain people to access the data, maybe by passing a certain token each time a user requests for some information, I tried searching for certain tutorials which used node.js and mysql database and security, I am confused as to which security measure to use, I even read about Json Web Tokens but din't find a proper tutorial for that.Please point me in the right direction.
EDIT
What I meant to say was, only authenticated users are allowed to get access to data in the api, when a random visitor tries to access a URL he shouldnt be alowed to without proper authentication,what I am mostly looking for now is when a user is authenticated the user should be a sent a token of some sort so then gets access to private data,I don't exactly know how to go about this whole thing.Would be glad if you could clear it up for me.
I would look at implementing Oauth2 server in your app. I found this article useful:
http://blog.papersapp.com/oauth-server-in-node-js/
No sure what your exact question is about, but I think the below will help:
Node.js security tips: http://blog.risingstack.com/node-js-security-tips/
Secure Express apps with various HTTP headers: https://github.com/helmetjs/helmet
Go on an educational Web security adventure: https://github.com/toolness/security-adventure
Node.js Security presentation: http://www.slideshare.net/d0cent/nodejs-security?qid=c450507b-e491-4e9a-9b05-89d0c82ea10b&v=default&b=&from_search=6
Take a look at http://passportjs.org/ . Passport has support for alot of authentication methods, however, for your API, you will probably want to use OAuth (http://passportjs.org/docs/oauth2-api). OAuth is what most popular APIs use to authenticate consumers.
For simple projects, You can also use basic authentication, which is what you see when you see the browser prompt asking for username and password. This authentication information can be sent in the header when API consumers makes requests.
I've got an android and iphone app that both get the required data from a webserver. The data is sent via json to the client. Using this setup other people might simply retrieve the url the app is calling and this way could make use of the data that I gather with my scripts on the server. To make it short: I don't want that :)
My idea is to make the json unreadable for example by encrypting it. This would make it a little harder to retrieve the information since this way some who would like to use my service would had to decompile the app an lookup any decryption stuff I had implemented.
Therefore two questions:
Do there exist some libraries that already offer such a functionality (Server side is Java)?
Does anyone of you have any other suggestions how I could protect my api from unwanted guests?
Thanks in advance :)
I think the options available would be...
to lock down the API to Authorized/Authenticated users.
Using BSON to obfuscate the data.
You could always use oAuth to allow the users to authenticate based on an account they already have: Facebook, Twitter, Google etc.
I am creating an API server which serves a card number validation and transaction insert.
Sample API URL = http://mydomain.com/api.json?cardnumber=2342343244&api_key=jhj67asd234tgbh123
Existing system:
I am providing an api key to client systems (say ebay.com). I am providing a discount if the user have a valid card. So my client will provide a form field to his end users to enter a valid card number.
Problem:
My client is writing ajax request to my domain to process the validation. The problem is the api key is visible in console and anyone can do the request outside of the client system (security loss).
Propose system: Please propose a system where my api key is hidden, so that the request will be processed securely. The solution may be any other way of writing an API.
I have less knowledge about API. Any help will be appreciated.
In my experience there isn't an easy way of doing this.
The only method I know about is providing the client with a one-time key. As soon as its used, it expires and the client will need a new one.
In this manner it doesn't matter that the key is visible in the console as its only ever going to be valid for a single request.
I hope that helps but I'd love to hear about any suggestions anyone else has.
I am looking at creating a good google chrome extension for tumblr.
Now tumblr uses Oauth as it's authentication method.
So my question becomes.
Do I:
Distribute a single key with the application and hope people are nice enough to not use it for illegitimate purposes.
Put in the options the ability for a user to enter their own key, hence asking each user to register an application.
Create an intermediary on my server that makes the actual request.
Something else?
I also had to consider this for my Template extension when using OAuth to communicate with the goo.gl URL shortener service on the user's behalf.
After reading Chrome's OAuth tutorial I managed to implement this simply using the following;
ChromeExOAuth.initBackgroundPage({
access_url: 'https://www.google.com/accounts/OAuthGetAccessToken',
app_name: chrome.i18n.getMessage('app_name'),
authorize_url: 'https://www.google.com/accounts/OAuthAuthorizeToken',
consumer_key: 'anonymous',
consumer_secret: 'anonymous',
request_url: 'https://www.google.com/accounts/OAuthGetRequestToken',
scope: 'https://www.googleapis.com/auth/urlshortener'
});
This is surrounded by quite a bit of logic due to the complexity of the extension but this results in the user simply being shown a page (on a new tab) the first time they attempt to shorten a URL using my goo.gl implementation. Here the user can decide to allow/deny the authentication. Since this is only done once (unless the user later removes it from their list of authorized applications) I thought this was fine and my users seem to agree.
I did also provide an option to toggle OAuth on/off but I'm guessing this will always be required for the tumblr API. On that note I must admit I'm not familiar with that particular API so I'm afraid I can't help you further.