stackoom
  简体   繁体   中英

API Centric Applications

 原文  2016-05-14 15:57:33       php/ api/ rest/ security

Question

So I'm trying to develop an application where the entirety of the backend is based on an API which allows for more flexibility across platforms.

My slight issue that I'm having is that I want every single task to be executed through the API meaning that each task is executed as the user rather than the app itself allowing for the user to be able to make identical API calls from outside the application as well.

I'm using forced HTTPS as standard so as far as I'm aware at this point there is no reason to encrypt the data again. But my two main questions are:

  1. What is the most effective and efficient way to implement API security?

  2. How would I best implement per user API requests within the application?

Please comment for any clarification if needed.

1 answers

solution1
 0  2016-05-15 08:58:44

With HTTPS you don't need to re-encrypt, but only if you also prevent man in the middle attacks. You do that by certificate pinning, which means that the app verifies the authenticity of the server certificate to check the server is who it says it is and is also the server the app expects. You can go further and also have the server check the app identity, though you've said the user can access outside the app so applying theses checks could be technically challenging.

Most people use API keys to add a level of security, though it isn't exactly security and it relies on the users and the app code not making those keys publicly available.

This extends to a user token which is transient and needs to be recreated periodically (or explicitly on demand). So the user logs in and then has a temporary token that they can use to validate each request they make for a short period of time (and possibly limited only to that device).

Ideally the data of concern would be protected using a password which is only known by the user, not stored on any device or server. So on top of the identification and user session validation the data doesn't leave the device in an unencrypted form.

Exactly what of this you can achieve is context dependent. If the server is processing the data rather than just holding and returning / forwarding it then there are obvious limitations and you security becomes more a question of transport security and password / key storage.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question API Centric web application in laravel Is there a speed disadvantage to API-centric websites HTTP overhead in API-centric PHP application Creating a centric REST API for a mobile and website application API-centric web application file upload php framework for json-api-centric project Creating an Api-Centric Application, my own doubts How to create an API-centric application (more specifically: for HMVC in CodeIgniter) How to use a php restful api-centric design internal instead of with http request Is there an unofficial API for creating Twitter applications/api keys?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM