IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [rest]

An abreviation for REpresentational State Transfer. A design pattern for stateless client-server systems. Popular in the implementation of web services.

ReST (Representational State Transfer) is a stateless client-server architecture commonly used on the web.

Use this tag if on questions that are specifically about the REST aspects of a protocol, such as how to authenticate requests. If a question is about a web application but not about its RESTful aspects, just use or .

373 questions
234
votes
7 answers

Should I use CSRF protection on Rest API endpoints?

Quick note: this is not a duplicate of CSRF protection with custom headers (and without validating token) despite some overlap. That post discusses how to perform CSRF protection on Rest endpoints without discussing if it is actually necessary. …
Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
89
votes
7 answers

How do I secure my REST API?

In detail here's the problem: I'm building an Android app, which consumes my REST API on the back-end. I need to build a Registration and Login API to begin with. After searching with Google for a while, I feel like there are only two approaches…
noob Mama
  • 993
  • 1
  • 7
  • 7
73
votes
2 answers

JSON Web Tokens (JWT) as user identification and authentication tokens

I'm implementing a REST service that requires authentication. I cannot store any per-user state (such as a randomly-generated token) because my service does not have direct access to a database, only to another backend service. The solution I came…
imgx64
  • 1,370
  • 2
  • 13
  • 10
71
votes
3 answers

Securing a JavaScript Single Page App with RESTful backend

I'm currently in the process of building a JavaScript SPA and have been researching how to secure it. There is currently as RESTful API that is being completely interacted with through AJAX. We also have mobile clients that interact with this API,…
Jon Wingfield
  • 821
  • 1
  • 7
  • 5
65
votes
6 answers

SSL with GET and POST

I'm pretty new to security, so forgive my basic question, but does SSL encrypt POST requests but not GET requests? For instance, if I have two requests GET: www.mycoolsite.com/index?id=1&type=xyz POST site: www.mycoolsite.com/index { Params:…
TomJ
  • 753
  • 1
  • 6
  • 5
52
votes
2 answers

What is PKCE actually protecting?

I'm trying to get my head around how PKCE works in a mobile app and there's something I don't quite understand. So from what I can gather the client app creates a random cryptographically secure string known as the code-verifier. This is then…
TommyBs
  • 657
  • 1
  • 5
  • 7
43
votes
10 answers

Is it more secure to program a client-server system in a language other than English?

I'm developing a system with communication via REST between front (JavaScript) and back end (Java/Spring) and this question popped up. Does it makes this system more secure to name variables, URLs, etc in a language other than English? I imagine it…
GuiRitter
  • 565
  • 1
  • 4
  • 5
40
votes
4 answers

Can I prevent a replay attack of my signed JWTs?

I have implemented a stateless auth over HTTP in Laravel, using JWTs. I send my username/password from the frontend. Server authenticates user, sends back a signed JWT with an expiry time. I'm using the HS512 algorithm to sign with a private key…
Aditya M P
  • 642
  • 1
  • 6
  • 11
39
votes
11 answers

Returning the wrong HTTP response code on purpose?

I'm writing a simple REST API, and I want to restrict access to my mobile-client only. In other words, I'm trying to prevent a malicious user from e.g. using curl to make an unauthorized POST request. Of course, this is impossible. However, there…
Miles
  • 501
  • 1
  • 4
  • 6
36
votes
3 answers

Store Auth-Token in Cookie or Header?

I do understand that a header is the "cleaner" solution to transport an auth-token from a trusted system to another in a REST call. But when you are in client-side JavaScript code, the world looks different to me. Cookies can be marked as…
rdmueller
  • 2,413
  • 3
  • 18
  • 17
35
votes
4 answers

How to protect against login CSRF?

http://seclab.stanford.edu/websec/csrf/csrf.pdf points out that most CSRF protection mechanisms fail to protect login forms. As https://stackoverflow.com/a/15350123/14731 explains: The vulnerability plays out like this: The attacker creates a host…
Gili
  • 2,149
  • 3
  • 23
  • 41
34
votes
1 answer

JSON Web Tokens - How to securely store the key?

I was building a RESTful Web Service when I came across JSON Web Tokens as an alternative to traditional cookies for authentication. The conceptual core of this method is that the server is the only agent that knows the secret key used to digest…
NMO
  • 443
  • 1
  • 4
  • 5
34
votes
6 answers

Ensure web service only accessed by authorized applications

Preface My mobile app allows users to create accounts on my service. In addition to being able to log in with external authentication providers, like Facebook, I want to give the user the option to create an account using an e-mail…
sbsmith
  • 443
  • 1
  • 4
  • 6
32
votes
8 answers

Is there a way to prevent someone from making his own client app for my webservice?

Say I have a RESTful web service and a commercial Android app on the front end which is used to interact with it. I may use SSL so that the endpoints are not visible, but someone could still do some reverse engineering to find them. I could also use…
Ana Mandic
  • 371
  • 4
  • 6
31
votes
3 answers

Secure a publicly accessible REST api

We're building a public single page app in JavaScript that talks to a back-end REST service. What we want is for that REST-service to be only accessible from the single page app. Since it's a public website, we can't / don't want the user to enter…
Kenneth
  • 413
  • 1
  • 4
  • 6
1
2 3
24 25