Shulou(Shulou.com)06/02 Report--

How to understand the security of RESTful API, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Ensuring the security of RESTful API mainly includes three aspects:

A) authenticate the client

B) encrypt sensitive data and prevent tampering

C) Authorization after authentication

There are several common practices for authenticating clients:

Add signature parameters to the request

1. Assign a key to each access party and specify a method for calculating the signature. A signature parameter must be added to the request of the access party. This is the easiest way to do this, but you need to ensure that the key of the accessor is kept securely, and you should also pay attention to guard against replay attacks. Its advantage is that it is easy to understand and implement, but the disadvantage is that it needs to bear the burden of keeping the key safely and updating the key regularly, and it is not flexible enough, so it is difficult to update the key and upgrade the signature algorithm.

Use the standard HTTP authentication mechanism

HTTP Basic authentication is less secure and must be used in conjunction with HTTPS. HTTP Digest authentication can be used alone with a moderate degree of security.

The HTTP Digest authentication mechanism also supports the insertion of user-defined encryption algorithms, which can further improve the security of API. However, inserting custom encryption algorithms is not often used in Internet-oriented API.

To do this, we need to ensure the secure preservation of the "security domain-user name-password" triple information of the access party, and also pay attention to guard against replay attacks.

Advantages: based on standards, it has been widely supported (a large number of HTTP server-side, client-side libraries). The responsibility of HTTP authentication on the server side can be undertaken by Web Server (such as Nginx), App Server (such as Tomcat), and security framework (such as Spring Security), which is transparent to application developers. The HTTP authentication mechanism (RFC 2617) well embodies the design principle of "separation of concerns" and maintains the visibility of operational semantics.

two。 Disadvantages: the security of such a simple username + password-based mechanism cannot be higher than that based on asymmetric keys (such as digital certificates).

Use OAuth protocol for identity authentication

The OAuth protocol is suitable for authorizing access to local resources for external applications. The encryption mechanism is more secure than HTTP Digest authentication. It should be noted that OAuth authentication and HTTP Digest authentication do not replace each other, and their applicable scenarios are different. OAuth protocol is more suitable for providing authorization for end-user-oriented API, such as obtaining Weibo information belonging to users, and so on. If API is not oriented to the end-user dimension, such as storage services such as Qiniu Cloud Storage, this is not a typical scenario for OAuth protocol.

3. To encrypt sensitive data and prevent tampering, common practices are:

Deploy the SSL infrastructure, or HTTPS, where the transmission of sensitive data is all based on SSL.

Only some sensitive data is encrypted (such as the card number + password of the prepaid card), and some random number is added as the encryption salt to prevent the data from being tampered with.

Authorization after identity authentication is mainly controlled by the application. You should usually implement some kind of role + user group authorization mechanism, and there are many frameworks in this area (such as Spring Security), but most development teams prefer to implement the relevant functions on their own.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.