2

This is probably a dumb question, but I just want to make sure with the below.

I am currently using the requests library in python. I am using this to call an external API hosted on Azure cloud.

If I use the requests library from a virtual machine, and the requests library sends to URL: https://api-management-example/run, does that mean my communication to this API, as well as the entire payload I send through is secure? I have seen in my Python site-packages in my virtual environment, there is a cacert.pem file. Do I need to update that at all? Do I need to do anything else on my end to ensure the communication is secure, or the fact that I am calling the HTTPS URL means it is secure?

Any information/guidance would be much appreciated.

Thanks,

Improve this question

3 Answers 3

Reset to default
5
  1. A HTTPS is secure with valid signed certificate. Some people use self signed certificate to maintain HTTPS. In requests library, you explicitly verify your certificate. If you have self-signed HTTPS then, you need to pass the certificate to cross verify with your local certificate.
  • verify = True
import requests

response = requests.get("https://api-management-example/run", verify=True)
  • Self Signed Certificate
import requests

response = requests.get("https://api-management-example/run", verify="/path/to/local/certificate/file/")
Improve this answer
4
  • Thanks for the information. I don't quite understand the use of self signed certificate. I can see that there is a cacert.pem file that is located by default in my certifi site-packages. Is this default cacert.pem file safe to use when using a requests.Session?
    – adan11
    Commented Nov 21, 2021 at 9:16
  • You don't need to use the default cert with the requests. Self-Signed means, your API server provider can sign a SSL certificate by their own. Most of the cases they buy from a trusted source. You just use verify = True. That's helps you to validate the SSL certification and secure way to communicate.
    – Mohammad Ashraful Islam
    Commented Nov 21, 2021 at 9:19
  • Thankyou. So essentially if I am sending a HTTPS to an microsoft Azure resource, and set verify=True in my request, then my request will be properly encrypted? And I can just use the python requests library as usual by going pip install requests, and using requests.session without having to change any backend files or anything?
    – adan11
    Commented Nov 21, 2021 at 9:23
  • It doesn't matter you create session or not. You just use HTTPS. YES your request will be encrypted according to HTTPS rules.
    – Mohammad Ashraful Islam
    Commented Nov 21, 2021 at 9:30
3

Post requests are more secure because they can carry data in an encrypted form as a message body. Whereas GET requests append the parameters in the URL, which is also visible in the browser history, SSL/TLS and HTTPS connections encrypt the GET parameters as well. If you are not using HTTPs or SSL/TSL connections, then POST requests are the preference for security. A dictionary object can be used to send the data, as a key-value pair, as a second parameter to the post method.

The HTTPS protocol is safe provided you have a valid SSL certificate on your API. If you want to be extra safe, you can implement end-to-end encryption/cryptography. Basically converting your so called plaintext, and converting it to scrambled text, called ciphertext.

Improve this answer
3

You can explicitly enable verification in requests library:

import requests

session = requests.Session()
session.verify = True
session.post(url='https://api-management-example/run', data={'bar':'baz'})

This is enabled by default. you can also verify the certificate per request:

requests.get('https://github.com', verify='/path/to/certfile')

Or per session:

s = requests.Session()
s.verify = '/path/to/certfile'

Read the docs.

Improve this answer
1
  • Thanks. So just confirming, the certfile (cacert.pem) is used to verify the certificate that I receive when sending a request to api-management-example/run for example?
    – adan11
    Commented Nov 21, 2021 at 22:20

Not the answer you're looking for? Browse other questions tagged or ask your own question.