Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to send secure token from RESTful service?

Tags:

rest

http

security

asp.net-web-api

restful-authentication

I am building a RESTful service using ASP.NET Web API with custom token based authentication. The client will send credentials on the first call. The service will create an encrypted token using the user details and this token will be used for authentication from this point onwards. Now the service needs to send this token back to the client. Initially I kept the token in a HTTP custom response header so that the client can read the value independent of the data returned by the service. This worked well when client and service are in the same domain, but failed in Cross domain scenario. I have CORS enabled my Service and added all kinds of headers like "Access-Control-Expose-Headers", "Access-Control-Allow-Origin: *" etc. But the cross domain client is not able to read the custom response header I created which is "SecureToken:". I saw in couple of posts that web browsers have some issues with reading custom response headers in cross domain scenarios. So now I am thinking of sending the secure token through a common base class of all the ViewModel/data objects sent from the service.

From this context I have couple of questions:

  1. What is the best place to send custom secure tokens. Is it in response header or as a common property in the base class of the ViewModel/data classes?

  2. is there a standard HTTP response header that I can use to send token and custom information so that even cross domain clients can also read it?

Any help will be greatly appreciated! Thanks!

like image 373
Nishanth Nair Avatar asked Sep 26 '12 16:09

Nishanth Nair

People also ask

Can we send secure request using REST?

It has to be an integral part of any development project and also for REST APIs. There are multiple ways to secure a RESTful API e.g. basic auth, OAuth, etc. but one thing is sure that RESTful APIs should be stateless – so request authentication/authorization should not depend on sessions.

How do I use authentication token in REST API?

Users of the REST API can authenticate by providing a user ID and password to the REST API login resource with the HTTP POST method. An LTPA token is generated that enables the user to authenticate future requests. This LTPA token has the prefix LtpaToken2 .

How do I make RESTful API calls secure?

Use HTTPS/TLS for REST APIs HTTPS and Transport Layer Security (TLS) offer a secured protocol to transfer encrypted data between web browsers and servers. Apart from other forms of information, HTTPS also helps to protect authentication credentials in transit.

1 Answers

The Authorization header is intended for this. Check section 14.8 in this link for details on how to use it.

like image 55
basiljames Avatar answered Oct 15 '22 00:10

basiljames
Sign in to Comment

Related questions

Website script injection scan [closed]
SQL & ColdFusion Encryption
security concerns around storing user data on Google App Engine
Oracle padding exploit - how does it download the web.config?
How can ASLR be effective?
Why does fireshepard kill firesheep?
How secure is it to call Amazon S3 Services from an iPhone?
Is there such a thing as the "Tamper Data firefox plugin" for chrome? [duplicate]
Is it possible to programmatically authenticate with Spring Security and make it persistent?
Is disabling CSRF protection sometimes justified?
Security Features in Android
What are the risks of having secure=false in a crossdomain.xml
Is there any need to sanitize a $_POST value before using it in a PHP header (for redirecting)
How to sign data with .p12 file in Java?
What does it take to write a PCI compliant assembly?
Java Stack Introspection
Buffer Overflow - Program terminates after spawning a shell
Disable form security CakePHP
How secure login to my android app using facebook-id?
Is it possible to hide the password in MySQL General/Slow Query Logs?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!