Basic Flask Authentication for Minimally used API

Question

I have an API built in Flask where my list of API consumers is very small, controlled by me, and I am certain will never grow. The consuming applications are all trusted equally and all trust each other. I just want a basic and quick method to provide authentication and encryption for the data sent to each. I've read a lot about heavier authentication/encryption schemes in Flask that do things on a user level, but I really just need something really simple that will give my pre-approved list equal access. Thoughts/ideas/recommendations?

I should mentioned I'm very inexperienced in the realm of security, and this is really my first API that deals with it.

Answer 1

Authentication and authorization - delegate to web server

To keep your app simple, you can delagate this task to a web server.

To me, nginx seems good option, but apache or any other shall serve also very well.

With nginx I am sure, demand for resources will be surprisingly low.

Encryption - is https what you want?

I am not exactly sure, what you mean by encryption. But if you want to be sure, that the data transferred are not openly available to someone sniffing your network, then https shall be sufficient.

Again, delegate this task to web server.

Conclusions

Both shall be managed by web server and not the app. It will keep your app simple and at the same time offload authorization and encryption to more efficiently working component.

Typical combination could be:

• use basic authentication
• secure the app using https (this makes the basic authentication secure)

Alternative: proxy in front of the app

There are solutions like API Axle, which can run in front of your flask application and take care of authorization. Your flask application will then get only those requests, which are authorized.