Ask HN: issues involved with implementing secure RESTful APIs

9 points by pm ↗ HN
Hi all,

I was curious about the issues involved with implementing a secure RESTful API over HTTP/HTTPS. I have a passing knowledge of the issues (HTTP basic authorisation, API tokens, etc.), but I couldn't find any detailed literature on the subject, and I would like to be able to assist our clients in designing these systems from a more enlightened position than "I know slightly more than you."

Any explanations of API design decisions, or more thorough treatises on the topic would be greatly appreciated. I'm also open to suggestions such as XML RPC/SOAP, etc. I need as much knowledge as I can - dealing with client-designed APIs constitutes most of my work.

3 comments

[ 3.8 ms ] story [ 17.9 ms ] thread
There is nothing fundamentally different about a RESTful API compared to any other type of HTTP request.

Use SSL to encrypt all sensitive data during transit, and think carefully about the best authentication method for your circumstances: you could consider the use of OAuth2 so that developers can authenticate your users, without requiring the users to expose their credentials.

There are a few ideas here: http://stackoverflow.com/questions/7551/best-practices-for-s...

Thanks for that. The ensuing discussion helped.
RE: designing a set of reusable APIs, or APIs built in reusable components A lot of what results in a successful, security-conscious API stems from adherence and discipline to good development practices and thinking through your API. A few that have really helped me:

- leverage the power of a suite of SCM/dev tools that match your work flow - realign your work flow to include good development practices: scm such as hg/git, rst documentation with sphinx/etc, build and testing suites - use a simple svg editor for diagraming (anyone can use inkscap) - learn how to think of these abstract model-relationships spatially and relationally - build new functionality out of tests that define your goals/intentions and the limitations imposed - use automated tests at various levels, to ensure the above fits your design - write code with the intention that it be reused, decouple sensibly - understand that there is 'the right way' and 'just-another-hack', try to go 'the right way' as often as you can, you'd be surprised how much it saves you in the long run

Most web APIs could be broken up into a standard set of steps: - initial authentication & authorization, note the difference between these steps, of request source - validation & verification of request data - processing & preparation of request/response data - formatting of response - response & backchannel communication

consider how your APIs can share common code, use APIs internally where it appropriate. decouple components. for example, your data processing components could function independently of the formatting of the input data, and which could be different from the response formatting itself. offer flexibility to your clients and support good development practices everywhere.

use white lists instead of black lists. "what is allowed" over "what is not allowed" as it easier to extend than patch. hack your system, bend it and break it, consider a vulnerability assessment application. consider your audiences and who would want to break your app, intentionally or not.