Reputation: 1556
Secure Connection, NSURLSession to Django Rest API
More of a question of understanding rather than looking for a technical solution. I'm on a team working to build an iOS application that needs database support. We're using Swift for the application code. A Django REST API wraps a MySQL database on the backend. The two are communicating over HTTP using Swift's NSURLSession class.
We will be passing password information over one of the http requests, and so we want to up the requests to HTTPS. On the API side we can force traffic through SSL middleware using django-ssilfy.
My concern is that including this library does nothing on the client-side. As far as I know we will only need to change the url to include 'https://' rather than 'http://'. It seems that the data passed will only be secure once it reaches the API, rather than over the entire connection.
Is there anything we must do to secure the data being passed over the NSURLSession on Wi-Fi and mobile networks? Or is simply pointing the session at an API view that is throttled through a SSL port enough to ensure the request is secure?
Please let me know if I am way off track or if there is any steps other than django-ssilfy that I should take in order to make all http communication secure!
Go SO!
Upvotes: 2
Views: 467
Answers (1)
Reputation: 41719
This question is more about whether or not SSL is secure, and less about if any of the tools that are being used make it less secure.
Luckily the Information Security Stack Exchange has your answer with an in-depth explanation as to how TLS does help secure your application.
When it comes to securing your Django site though, django-sslify is a good start, but it's not the magic cure to security issues. If you can, it's recommended to not serve insecure responses, which works well for API hosts (api.github.com is one example), but not if your API is hosted on the same domain as your front-end application. There are other Django apps available that are recommended, such as djang-secure (parts of which were integrated into Django 1.8).
You should also follow the Django security recommendations, and revisit them with new major releases. There are other resources you can look at, like "Is Django's built-in security enough" and many other questions on the Information Security Stack Exchange.
Upvotes: 1
Related Questions
- How to enable HTTP access for Django APIs on HTTPS server
- Serving Django site over HTTPS
- django rest framework https for absolute urls?
- Securely sending password data to REST API?
- how to create a SSL Secure Connection using django
- Authentication Issue with REST call for iOS
- How to use HTTPS with NSURLConnection?
- Django HTTPS and HTTP Sessions
- Secure communication between django server and iphone app
- How do I require HTTPS for this Django view?