Reputation: 9827
Securing Rest Web Service for Public Authentication - Server to Server
I've a have a public RESTful API that is used for user authentication for a web application that accepts the user id and password in clear text (see below). The username is passed in the url path as a path parameter and the password is a query string parameter. The HTTP GET comes from another web application on the server side (http client request), is this API secure? I was under the impression that the URL can not be seen if the request is going from server to server. My main fear is that someone could use something like firebug and see the traffic and get the userid and password.
REST end point:
HTTP GET https://host:80/user/joebob?password=pass123
Upvotes: 0
Views: 261
Answers (1)
Reputation: 26584
Someone most definitely could see the username and password with a simple network sniffer. If you are POSTing the request, why are the parameters in the URL? They should be in the body like a normal POST, then at least the SSL protection kicks in and people can't sniff them. Another option would be for you to look at HTTP Basic Auth.
Upvotes: 1
Related Questions
- Secure the communication between website and our RESTful web service
- Authentication and Authorization on a simple restful webservice
- How can secure a REST web service?
- REST HTTP Authentication - How?
- How to secure a REST web service in Java EE 6
- How to authenticate users in Java(REST) app?
- Authentication in a RESTful web-service
- How do I secure a Java REST service using Drupal?
- Securing a REST API
- Creating a REST webserver with security