Reputation: 8599
Protect sensitive data with REST Web Api
I am planning to work on an Asp.Net/C# RESTful Web Api 2 project. One of REST actions is receiving "username" and "password" with GET method. The value of "password" passed in query string is needed to be protected from REST client programmers/consumers. The "password" passed in query string (please see a sample REST call below) is sensitive data entered from any non-technical user who is not REST client programmer but who is using REST client programmers' software applications.
REST client programmers are RESTful web service consumers who write software applications in any device platform and any programming language (Java, C++, or Object-C, C, PHP, etc.).
I am supposed to use HTTPS protocol (not HTTP) to host my Asp.Net Rest Web Api services. And one sample GET call to get "password" from client/consuming programmers looks like:
https://www.mycompanyhost.com/account?username=abc&password=some_password
My questions:
1/ Is using https protocol secured enough for my Web Api services side receiving sensitive data and for the consumer/client side sending sensitive data?
2/ if https protocol is not secured enough, then how do I as web service provider and service consumers/programmers to protect sensitive data like "password" as I mentioned?
For me, the follows sound complex:
If Rest web service consumers use some encrypting method/algorithm, then on my Rest service provider side, how can I understand the same encrypting method/algorithm to decrypt "password"?
On my side as provider I am using C#, but web service consumers can use any programming language and device as mentioned above, how do we (both sides) understand each other with encrypting approach?
Upvotes: 2
Views: 2306
Answers (1)
Reputation: 25050
To achieve secure communication has a long history as you might guess (maybe since the day of digital communication born?). In your question, please consider https is the must-do yet minimum security standard that you can rely on.
Moreover, there are two things that you can consider.
- I don't know why you have to
GETpassword from server. Almost all web service treat password as hashed manner (written with several mathematically encryption). So it can compare only, cannot read words back. - It is only your decision which crypto algorithm you choose. There are many encryption/decryption library provider in .NET. I recommend you to buy-and-apply one of them.
Finally, I strongly recommend you a book to read "Pro ASP.NET Web Api Security" (amazon link). It will give you enough knowledge to make decision in your technical domain.
Upvotes: 1
Related Questions
- Ways to secure an anonymous Web API request
- How to protect a Web API from data retrieval not from the resource owner
- How to protect a Web API using ASP.NET 5 MVC 6
- how to secure a Web Api
- How to protect ASP.NET Web API 2
- How to send sensitive data to an Asp.net Web API server
- ASP.Net MVC & WebAPI encryption
- securing data posted to a web api
- Security in Web Api
- Securing Web Services