Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is HTTPS protocol relevant for REST API Webservices?

Tags:

rest

php

https

api

I have a HTTP REST API in PHP used by an iPhone application.

Some webservices from this API are secured with a user authentication in the HTTP request credentials but I want to avoid "man in the middle" attacks by providing fully encrypted requests data.

I'm not really skilled in security issues and I couldn't find any clear answer to my question anywhere :

Is HTTPS relevant for STATELESS REST API ?

From what I understood, HTTPS does 2 things :

  • encrypt your session
  • prove to the client that the server he is talking to is secured

So at first sight it does not respond to my need which is to encrypt the data between my server and the application because the API does not use sessions. But I still have doubts.

Can someone make it clear to me ?

My other solution would by to encrypt requests data with public/private keys system. Would it be more suitable ?

Thank you !

like image 831
Bedu33 Avatar asked Apr 24 '12 17:04

Bedu33


People also ask

Should REST API use HTTPS?

Secure the communications between a REST API and an HTTP client by enabling HTTPS. You can enable HTTPS just for encryption, or you can also configure a REST API for client authentication (mutual authentication).

Is HTTP mandatory for REST API?

It's important to remember that the use of HTTP is not required for a RESTful system. It just so happens that HTTP is a good starting because it exhibits many RESTful qualities. Let's take a closer look at some of the qualities that make HTTP a RESTful protocol.

Which protocol is normally used with REST APIs?

A RESTful API uses existing HTTP methodologies defined by the RFC 2616 protocol, such as: GET to retrieve a resource; PUT to change the state of or update a resource, which can be an object, file or block; POST to create that resource; and.


2 Answers

Yes, it is. HTTPS has nothing to do with the application, it's a tunneling protocol. Even though TLS is itself a stateful protocol, the HTTP part going over it is not.

Just like if you were using a VPN, you can still have a REST based application. The TLS just sets up and tears down the tunnel automatically for each connection.

That said, there's value in leveraging the pipelining aspects of HTTP and HTTPS to improve throughput over TLS connections, but that's a performance tuning aspect unrelated to the application itself.

like image 73
Will Hartung Avatar answered Sep 28 '22 05:09

Will Hartung


HTTPS is very relevant, and yes, that's because of the two points you mentioned. Did you know that OAuth 2 actually enforces HTTPS?

Doing all the encryption yourself could be an option as well, but you lose the part where the API is easy to use.

Most man-in-the-middle attacks on "simple" HTTP requests involve stealing credentials and faking requests, but they can also read the data sent and received. If your issue is with the data being unreadable, use HTTPS. If fake requests are the only problem, an authentication protocol such as OAuth 1 (not 2) would suffice.

like image 30
Tom van der Woerdt Avatar answered Sep 28 '22 04:09

Tom van der Woerdt