Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using a RESTful API - Is it secure?

Tags:

rest

url

https

api

We are partnering with a service provider which exposes their services via RESTful API.

We can authenticate with the API by passing a username and password as URL parameters.

Example: https://example.com/api/service.json?api_user=Username&api_key=Password

I know this is using SSL. However, since the username and password are part of the URL, couldn't this be intercepted by a third party?

like image 265
Michael Avatar asked Feb 07 '13 18:02

Michael


2 Answers

No, a third party will only be able to see the destination (example.com). The rest of the URL is actually embedded inside the request.

It helps to understand the process of how an HTTP (or HTTPS) request is made.

  1. determine protocol (in this case HTTPS, using port 443)
  2. get IP address of server using DNS
  3. establish a TCP connection to server (if SSL is involved, it's a bit more complicated)
  4. issue a request to server on the new connection which will look something like

    GET /api/service.json?api_user=Username&api_key=Password

Since the actual request is part of the encrypted data stream, there's no way for someone monitoring the connection to extract sensitive information.

like image 185
Ferruccio Avatar answered Oct 20 '22 02:10

Ferruccio


The previous answers are both technically correct; if you're using HTTPS, the URL and querystring data will be encrypted prior to transmission and can be considered secure.

However, the fact that an API is asking for a username and password as querystring parameters may indicate a somewhat lax approach to security.

For example, many webservers will log the request querystring parameters by default , which means that your plain-text credentials might be lying around on disk somewhere (and many companies will store, or back up, webserver logs in insecure ways).

In short: passing credentials as querystring parameters isn't a security risk per se, but is generally a bad practice and may be symptomatic of larger security issues.

like image 42
mflaming Avatar answered Oct 20 '22 01:10

mflaming