Security in a private web service
- by Oni
I am developing a web site and a web service for a small on-line game. Technically, I'll be using Express (node.js) and MongoDB+Redis for the databases. This the structure I came up with:
One Express server that will server as the Web Service. This will connect to the databases.
One Express server that will provide the web site. It will connect to the Web Service to retrieve and push the information.
iOS and Android application will be able to interact with the WebService.
Taking into account:
It is a small game. The information transferred is not critical.
There will NOT be third party applications. At least for the moment.
My concern is about which level of security I should use in each of the scenarios:
Security of the user playing through web browser
Security of the applications and the Web Server connecting to the WS.
I have take a look at the different options and:
OAuth and/or Https is too much for this scenario, isn't it?
Will be a good option to hash the user and password with MD5(or similar) and some salt?
I would like to get some directions and investigate by my own rather than getting a response like "you should you use this node.js module..."
Thanks in advance,