Geek Answers Handbook

Using a RESTful API - is it safe?

We partner with a service provider that provides its services through the RESTful API.

We can authenticate using the API by passing username and password as URL parameters.

Example: https://example.com/api/service.json?api_user=Username&api_key=Password

I know this is using SSL. However, since the username and password are part of the URL, could they not be intercepted by a third party?

+6
source share
3 answers

No, a third party can only see the destination (example.com). The rest of the URL is actually embedded inside the request.

This helps to understand the HTTP request process (or HTTPS).

  • Define a protocol (in this case, HTTPS using port 443)
  • get server IP address using DNS
  • establish a TCP connection to the server (if SSL is enabled, this is a little more complicated)

  • issue a request to the server for a new connection, which will look something like this:

    GET /api/service.json?api_user=Username&api_key=Password

Since the actual request is part of the encrypted data stream, there is no way for someone to control the connection to extract confidential information.

+7
source

The previous answers are technically correct; if you use HTTPS, these URLs and querystring will be encrypted before transmission and can be considered secure.

However, the fact that the API asks for a username and password as request parameters may indicate a somewhat weak approach to security.

For example, many web servers will log default querystring request parameters, which means that your plain text credentials may be located somewhere on disk (and many companies will store or back up web server logs in unreliable ways).

In short: passing credentials as query parameters is not a security risk per se , but it is usually bad practice and can be a symptom of big security problems.

+6
source

However, since the username and password are part of the URL, can this be intercepted by a third party?

The URL is also sent under encryption. In other words, the process that provides the feed occurs before the URL is sent to the server.

You are safe.

+5
source

More articles:


All Articles