Reputation: 4841
How to secure REST API when Adobe AIR is used on client's side
I created a simple REST API in PHP. The client is a mobile application written in Adobe Air. Anytime I developed an API, I used HTTPS and some basic header like X-Api-Secret, which was a secret both sides agreed on.
However Adobe Air is not able to send custom headers in GET requests.
From Adobe Air documation:
Due to browser limitations, custom HTTP request headers are only supported for POST requests, not for GET requests.
Should the mobile app send the secret as GET parameter? Or is there nicer solution?
Upvotes: 0
Views: 300
Answers (1)
Reputation: 87
Sending your key in the GET request as a special parameter is fine. It doesn't make things anymore secure just because you sent your data as a header in a POST request. Most APIs will accept the application key in a GET parameter (ex-trello).
If there is something vitally secret that you don't want anyone else to find, then you don't want to keep it stored on the mobile app anyway because someone decompiling the app will be able to find it.
Upvotes: 1
Related Questions
- Securing a client-side API
- Shared secret with API in an Ajax Adobe AIR app
- How would you secure data in your AIR application?
- secure adobe air html/javascript code
- SSL Client Side Certificate authentication in Adobe AIR
- Protect Air application content
- Adobe AIR application as a http server?
- Security behaviour in Adobe Air
- Securing Comunication between Adobe Air and Server
- Consuming REST API with Adobe Air