Menu
I am developing an API that will be used by users of my customers. Here is what the flow will look like:
I am looking for advice on how to secure this API. I see a few issues:
Does anyone have any ideas on how to design this?
762
Encryption — Having encryption enabled on the API and using https using TLS secures the channel as well as the information sent. Rate limiting and throttling — Limiting the number of requests coming into an API helps prevent abuse. Throttling enables the availability of the service for legitimate consumers.
If you are building just a basic API, with simple GET and POST requests, then you might want to ask yourself if the data that you are displaying or manipulating requires "security". If not then most likely, you don't need to implement OAuth.
Basic authentication is an HTTP-based authentication approach and is the simplest way to secure REST APIs. It uses a Base64 format to encode usernames and passwords, both of which are stored in the HTTP header.
I may be mistaken but maybe you could have your customers' users talk to your customers' APIs instead. Basically, your customers would keep their secret key on their servers, and not embed them in the clients they give their users, so it couldn't be hijecked (unless their server was compromised of course). Then the users would talk to your API through your customers' APIs.
It would be slower and need more work on the part of your customers, but also safer.
168
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
