All Questions
47
questions
1
vote
3
answers
3k
views
Designing APIs that don't expose database primary keys
People say "don't expose primary keys from the database in your API" because its a major security leak, so I'm trying to come up with a way for:
RESTful HTTP requests to reference server-...
0
votes
1
answer
40
views
Should I check the ownership of every "somethig_id" fields from a POST request?
I have an endpoint API for a POST request in a multi-tenant application, let's say it is for a Payment, where we have to store these fields:
tenant_id (this is the account owner)
amount
date
payer_id ...
- 11
1
vote
2
answers
555
views
How to get the CSRF token when using a cross-origin REST API?
Usually, the web server that is serving a page includes the CSRF token inside the HTML. However when I'm using a cross-origin REST API, there is no "initial" page that could include the CSRF ...
1
vote
2
answers
212
views
REST HTTP Response code for a resource that the user is not authorised to access
Suppose user A creates a private resource at, for example, /books/somebooktitle
If user B attempts to access the resource at /books/somebooktitle what code should be returned?
HTTP403: Permission ...
- 229
-2
votes
1
answer
40
views
Securing the REST APIs - Security Framework (Technology) V/S Custom
There are many ways to secure the REST APIs, from authentication and authorization view point. Below are the two which I know so far:
Using existing token based IAM solutions like Okta, KeyCloak, ...
2
votes
2
answers
508
views
What are the best practices to authorize every REST request?
My question may sound very naïve to someone, but it is what it is.
I have below scenario:
Relational MySQL Database with BIGINT primary keys and foreign keys
Spring boot as a backend (technology ...
2
votes
3
answers
315
views
Securing REST API with authenticated user
I want to build a REST API but I have some holes when it comes to the security part. I would like to get my head around how to authenticate the calls to the API.
Therefore, this is my first draft for ...
- 155
2
votes
4
answers
2k
views
REST API include permissions into resource
We currently have REST API, where you have a set of different resources, like:
GET /cats
GET /cats/{catId}
GET /dogs
Clients decide whether they can perform an action based on resource permissions. ...
0
votes
1
answer
63
views
rest service with digitally signed parameters
I'd like to build a rest service that will accept objects that has digital signature. This service has to support both xml and json data serialization formats. I'd like to use .Net core framework to ...
- 101
0
votes
1
answer
82
views
Is it a bad thing to delegate a callout to an external system, given that my current one can't do it?
Custom code written for the Salesforce platform is incapable of making a PATCH request to an external server (PUT and POST are okay though), and I need to make a PATCH request to an external service (...
- 103
0
votes
1
answer
4k
views
How @RolesAllowed annotation is workin in Java [closed]
I know that @RolesAllowd annotation can be used to provide role-based access control to REST endpoints and I am currently using that with RestEASY.
I need to know how it is working behind the scenes....
- 289
2
votes
2
answers
681
views
Security Issues with RESTful Authentication & Session Management
I'm trying to implement authentication and session management for a microservice. In order to do the process RESTfully, I understand that I'll need to use some kind of token-based authentication to ...
- 131
3
votes
2
answers
287
views
How to safeguard a COTS REST API with on-premise servers for approved client apps only?
Goal: Prevent unauthorized 'clone' apps from using REST API-based solutions where the customers manage their own servers and services instead of the vendor doing so (database, resource, and identity). ...
1
vote
1
answer
90
views
Should I separate the REST sessions from the sessions in the rest of the application?
Assuming I have resources I restrict access to with a username + password login in my web application and in my REST API. Should I keep different sessions for both meaning that a login via the web UI ...
- 222
3
votes
3
answers
8k
views
Proposed Method to Restrict API Access to Mobile App Only
I read a lot that you can't restrict your Public REST API to only your mobile application, but I have an idea and I want opinions on it:
Variable App Key Method
Mobile App
Get IP address of current ...
- 133