Secure the communication between website and our RESTful web service

Question

we will have a website created by an outsourcing company, that website will send some information in JSON payload to our RESTful web service. The user will do login and authentication on that website, so we don't want to know the username and password of the user. And what we need is make sure the JSON where sent from is that trusted website then we will send back another JSON payload with including some info from us.

I am pretty new in the security area so I have googled a bit to find out we can use certification to encrytion/decrytion the message. But what will be the solution if we can identify the hack request in the first place and rejecting that request.

Answer 1

As of your description, there are coming two things in my mind immediately:

1. Use an SSL certificate. That already ensures that your site is being transferred encrypted over the internet.
2. Use a token system. Tokens are widely used in payment solutions for example - as credit card data should never touch your own server. All tokens contain some secret information that are used to prove identity.
3. Use HTTP request headers eg. Basic Auth

For sure, you should have a SSL certificate. This adds already a lot of security to your site.

But what will be the solution if we can identify the hack request in the first place and rejecting that request.

Well, you have answered it yourself. If you can detect it, reject it.

Answer 2

A simple way to protect your restful service is something like basic auth. The application making the rest call would provide a request header like

Authorization: Basic ZWx1c3VhcmlvOnlsYWNsYXZlde

This would not be a user-based solution, but a webapp to webapp solution. All other requests would be unauthorized.

https://en.wikipedia.org/wiki/Basic_access_authentication