How to build secure RESTful web services
Most of the APIs today implement token-based user authentication
With the world moving towards language agnostic APIs, the use of web services over HTTP has grown exponentially. Web services over HTTP allow different types of systems developed on different platforms to communicate with each other.
REST architectural style is one way to develop such APIs. Whether you comply to REST recommendations exactly or you modify them to suit your application, the security of web services over HTTP remains a challenge.
Major security challenges include being able to securely authenticate the user and prevent security attacks like Replay and Man in the Middle, a good REST API should encompass all possible measures to deal with them.
Most of the APIs today implement token-based user authentication. It is important to understand how the token-based authentication has evolved. Since the web services are designed to be stateless and can be consumed by any kind of HTTP client like a browser or a mobile app, securely authenticating user and managing user sessions is a challenge.
There are concerns such as whether user passwords should be passed over the network or not. Unless credentials are not passed over the network, how can we securely authenticate the user? What if my organisation is not able to use HTTPS and there is a chance of data being attacked by a man-in-the-middle before it reaches the server?
How to avoid a request that was already served from being replayed by the attacker? How to harden the web service endpoints while using HTTPS? How can I limit the access of web service endpoints to a specific set of users or customers?
To answer these questions, the developer community has come up with solutions like multiple flows of OAuth, Mutual/Two-way SSL Authentication and Signature Verification to tackle man in the middle attacks and Cryptographic Nonce + Timestamp verification to prevent replay attacks.
To understand these approaches in detail, watch the webinar.
Abhilshit Soni is lead engineer at Here