Reputation: 11
RESTful service URL and security
I proposed including filtering information and the usual URL approach to access resources through a RESTful service.
A client is concerned that the URL will contain information which they do not want logged by a web server or other infrastructure applications.
What alternatives could there be?
Upvotes: 1
Views: 72
Answers (2)
Reputation: 41448
If you don't care about being religiously Restful, you could submit everything using POST or PUT over SSL. Post parameters are not logged (like the GET url is) in webserver logs.
If it's only Authentication details that you don't want recorded (like client_id & client_secret) you can use the authorization header.
Upvotes: 1
Reputation: 42063
You can configure your web server to not log those information. This is how it would look like in case of Nginx:
At the http level:
log_format scrubbed '"$http_x_forwarded_for - $remote_user [$time_local] '
'"$scrubbed_request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
At the server level:
access_log /var/log/access.log scrubbed;
At the location level:
set $scrubbed_request $request;
if ($scrubbed_request ~ (.*)sensitive=[^&]*(.*)) {
set $scrubbed_request $1sensitive=****$2;
}
Code is taken from here, visit that link for more information.
Upvotes: 2
Related Questions
- RESTful API URL design with authentication
- REST: Securing public GET URL
- Authorizing REST resource access
- Security about a simple REST web service
- RESTful API security
- How to secure RESTful web services?
- Securing REST urls with Spring
- Rest service sercurity
- How do I secure password parameters in RESTful web service URIs?
- Detail question on REST URLs