Securing a REST API

Posted by Christopher McCann on Stack Overflow See other posts from Stack Overflow or by Christopher McCann
Published on 2010-04-20T15:10:33Z Indexed on 2010/04/20 15:13 UTC
Read the original article Hit count: 208

Filed under:

rest

|

ssl

|

oauth

|

web-services

I am in the middle of developing a REST API - the first one I ever have.

The data being passed through the API is not of such a critical nature that there will be loss of life, economics etc if it was intercepted but at the same time I would like it to be secure. The data being transferred is simply like the data that would be transferred on Twitter or Facebook - not overly confidential but still should be kept private.

What is the best way to secure this data? Am I best to use HTTP Basic Auth over SSL or should I be looking into something like OAuth. I have never really used REST much before so bit of a first for me.

Thanks

© Stack Overflow or respective owner

Related posts about rest

REST: How to store and reuse REST call queries

as seen on Programmers - Search for 'Programmers'
I'm learning C# by programming a real monstrosity of an application for personal use. Part of my application uses several SPARQL queries like so: const string ArtistByRdfsLabel = @" PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#> SELECT… >>> More
REST Framework - MS Web Api vs the rest of the field

as seen on Programmers - Search for 'Programmers'
I am a .NET developer who is looking into the OSS world for a REST framework similar to Microsoft's Web Api. I'll be starting a personal project soon and need to develop both a web site and an API with the API coming first. I've ruled out Ruby on Rails just because I feel that with my background… >>> More
Self Hosted WCF REST Service or Hosting WCF REST Service in Console Application

as seen on C# Corner - Search for 'C# Corner'
n this article, I will show you How to create a REST based service, How to host a REST,based service in Console application and How to consume a REST Service at client. >>> More
Trouble determining proper decoding of a REST response from an ArcGIS REST service using IHttpModule

as seen on Stack Overflow - Search for 'Stack Overflow'
First a little background on what I am trying to achieve. I have an application that is utilizing REST services served by ArcGIS Server and IIS7. The REST services return data in one of several different formats. I am requesting a JSON response. I want to be able to modify the response (remove… >>> More
WCF REST on .Net 4.0

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
A simple and straight forward article taken from: http://christopherdeweese.com/blog2/post/drop-the-soap-wcf-rest-and-pretty-uris-in-net-4 Drop the Soap: WCF, REST, and Pretty URIs in .NET 4 Years ago I was working in libraries when the Web 2.0 revolution began. One of the things that caught… >>> More

Related posts about ssl

Plesk SSL Certificate (Default cert when SSL enabled, CORRECT cert when SSL is disabled)

as seen on Server Fault - Search for 'Server Fault'
I'm running Plesk 8.6.0: I have an SSL cert installed through Plesk's admin interface. But I have a bit of an issue: When I enabled SSL for the site, and selected my cert, then restart httpd, Plesk defaults to using my self-signed default certificate. Conversely, when I disable SSL support for the… >>> More
apache renew ssl not working [on hold]

as seen on Server Fault - Search for 'Server Fault'
Downloaded a new ssl cert from go daddy and installed the cert on apache2 server put the cert in /etc/ssl/certs/ folder put the gd_bundle.crt in the /etc/ssl/ folder private key is in /etc/ssl/private/private.key I just replaced the original files with the new files, did not replace the private… >>> More
Cant connect to mysql using self signed SSL certificate

as seen on Server Fault - Search for 'Server Fault'
After creating a self-signed SSL certificate, I have configured my remote mysqld to use them (and ssl is enabled) I ssh into my remote server, and try connecting to its own mysqld using ssl (mysql server is 5.5.25).. ~> mysql -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client… >>> More
How to log invalid client SSL certificate in SSL

as seen on Server Fault - Search for 'Server Fault'
I have a IIS web site which requires client certificate. I have turned off CRL checking. The client is unable to access the web site - he gets 403.17 (certificate expired) error. I would like to log the certificate he is using, becaue I think he is using the wrong certificate. Is there a way to… >>> More
Mixing SSL and non-SSL content in an Apache2 virtual host

as seen on Server Fault - Search for 'Server Fault'
I have a (hopefully) common scenario for one of my sites that I just can't seem to figure out how to deploy correctly. I have the following site and directories for example.com: These need to require SSL: /var/www/example.com/admin /var/www/example.com/order These need to be non-SSL: /var/www/example… >>> More