How to design the security of restful APIs

the security of RESTful APIs is guaranteed, including three major areas:A) authenticating the client
b) Encrypt sensitive data and prevent tampering
c) Authorization after identity authentication

1, the client to do identity authentication, there are several common practices:

1) Add the signature parameter in the request, assign a key to each access party, and specify a method of calculating the signature. The signature parameter must be added to the request of the Access party.

This is the simplest approach, but it is necessary to ensure the security of the access key, and also to guard against replay attacks. Its advantages are easy to understand and implement, the disadvantage is the need to bear the security key and regular update of the burden of the key, and not flexible enough to update the key and upgrade the signature algorithm is difficult.

2) Use the standard HTTP authentication mechanism

HTTP Basic authentication is less secure and must be used in conjunction with HTTPS.

HTTP Digest authentication can be used alone, with a moderate level of security.

The HTTP Digest authentication mechanism also supports the insertion of user-defined encryption algorithms, which can further improve the security of the API. However, inserting a custom encryption algorithm is not much used in Internet-facing APIs.

This procedure needs to ensure the security of the security domain-user name-password ternary information, and also to guard against replay attacks.

Pros: Based on standards, a wide range of support is available (large number of HTTP server side, client libraries). The responsibility for HTTP authentication on the server side can be assumed by Web server (such as Nginx), app Server (such as Tomcat), security framework (such as spring security), and is transparent to the application developer. The HTTP authentication mechanism (RFC 2617) is a good embodiment of the design principle of "separation of concerns" and preserves the visibility of operational semantics.

Cons: This type of security based on a simple username + password mechanism cannot be higher than a mechanism based on an asymmetric key (such as a digital certificate).

3) identity authentication using the OAuth protocol

The OAuth protocol is used to authorize access to resources on the site for external applications. The encryption mechanism is more secure than HTTP Digest identity authentication. It is important to note that OAuth authentication is not a mutually replaceable relationship with HTTP Digest authentication, and that their application scenarios are different. The OAuth protocol is better suited to provide authorization for APIs that target end-user dimensions, such as obtaining Weibo information that is part of a user's profile, and so on. If the API is not intended for end-user dimensions, such as storage services like seven Cow cloud storage, this is not a typical scenario for OAuth protocols.

2, to encrypt sensitive data, and to prevent tampering , common practices are:

1) Deploy the SSL infrastructure (that is, HTTPS), and the transmission of sensitive data is all based on SSL.
2) Encrypt only partially sensitive data (e.g. card number + password for prepaid cards) and add a random number as the salt to protect against tampering with the data.

3, the authorization after the identity authentication, mainly by the application to control. You should typically implement some kind of authorization mechanism based on role + user groups, there are many frameworks (such as spring Security), but most development teams prefer to implement the functionality themselves.

For restful APIs, common security measures can continue to be used. For example, in order to prevent tampering, all parameters can be signed, in order to prevent replay attacks can add a one-time token in the request, or a short period of effective token, the content encryption can realize the data leakage ... For DDoS attacks, various HTTP traffic cleaning policies can continue to work because this is the basic HTTP request.

In terms of authorization and authentication, OAuth 2.0 has been largely matured and has been widely used. If you can, access to a third-party account system is a good choice, such as Google and Facebook, of course, there are a few candidates at home.

How to design the security of restful APIs