Geek Answers Handbook

API development - how to make it secure?

I collect read and write methods into my database and expose them through the URL (I use the CodeIgniter structure and using URL segments to pass parameters to these methods). The original idea was for my Ajax script to call these methods. However, now I think I can potentially expose these methods to any developer.

What should I do to make sure that only authorized developers use my API? I think they should pass an API key and possibly a password for each method call. If I provided them with such data, would it be safe enough?

Also, I think I should support POST instead of GET, as some of the required parameters may not fit into URL segments. Thoughts?

+4
source share
3 answers

An OAuth implementation of http://oauth.net/documentation/getting-started/ will work for what you are trying to do. I'm not sure what type of data you provide, but I agree with TradyBlix that is probably better. I implemented it before, it is not so difficult to understand, it is well documented by many APIs that process user data using it.

Another thing you should think about is the restriction of API keys for domains, so the developer can only use his own API key from his own domain, which significantly prevents access to an unauthorized developer, at least without access to the allowed domain and appropriate key.

+2
source

First: HTTPS required .

HTTPS ensures that a secure channel is established before any request data is sent. Yes, before sending any request data : URLs, headers, cookies, GET or POST parameters ... whatever. This means that you can use simple methods such as HTTP Basic authentication over HTTPS without putting your user credentials at risk.

This is really non-negotiable if the data you pass to the API is really public. If you are not using HTTPS, any communication with your API (including HTTP Basic credentials) can be sniffed in plain text.

The only reason major sites (like Facebook) do not use HTTPS is because it is becoming expensive on a massive scale.

If you absolutely cannot start HTTPS, you should study OAuth, which takes steps in authenticating the API in this particular situation. With OAuth, you can authenticate users while maintaining credential privacy over unencrypted channels.

Second: authentication is not authorization .

Do not blindly trust data from authenticated users. Make sure that the methods and actions they refer to are appropriate, otherwise you can provide your users with a backdoor to the data or administrative functions of other users.

There is much more than that, but if you follow these two principles, you are already on your way.

+2
source

Perhaps you should check out OAuth . This is An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.

I myself have not tried myself honestly, but this is the first thing I thought about when you mentioned authorized developers use my API . Just an idea.

+1
source

More articles:


All Articles