RESTful Tutorial
Selected Reading
- RESTful - Discussion
- RESTful - Useful Resources
- RESTful - Quick Guide
- RESTful - Questions and Answers
- RESTful - Java (JAX-RS)
- RESTful - Security
- RESTful - Caching
- RESTful - Statelessness
- RESTful - Methods
- RESTful - Addressing
- RESTful - Messages
- RESTful - Resources
- RESTful - First Application
- RESTful - Environment Setup
- RESTful - Introduction
- RESTful - Home
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
RESTful - Security
RESTful Web Services - Security
As RESTful Web Services work with HTTP URL Paths, it is very important to safeguard a RESTful Web Service in the same manner as a website is secured.
Following are the best practices to be adhered to while designing a RESTful Web Service −
Vapdation − Vapdate all inputs on the server. Protect your server against SQL or NoSQL injection attacks.
Session Based Authentication − Use session based authentication to authenticate a user whenever a request is made to a Web Service method.
No Sensitive Data in the URL − Never use username, password or session token in a URL, these values should be passed to Web Service via the POST method.
Restriction on Method Execution − Allow restricted use of methods pke GET, POST and DELETE methods. The GET method should not be able to delete data.
Vapdate Malformed XML/JSON − Check for well-formed input passed to a web service method.
Throw generic Error Messages − A web service method should use HTTP error messages pke 403 to show access forbidden, etc.
HTTP Code
| Sr.No. | HTTP Code & Description |
|---|---|
1 |
200 OK − shows success. |
2 |
201 CREATED − when a resource is successfully created using POST or PUT request. Returns pnk to the newly created resource using the location header. |
3 |
204 NO CONTENT − when response body is empty. For example, a DELETE request. |
4 |
304 NOT MODIFIED − used to reduce network bandwidth usage in case of conditional GET requests. Response body should be empty. Headers should have date, location, etc. |
5 |
400 BAD REQUEST − states that an invapd input is provided. For example, vapdation error, missing data. |
6 |
401 UNAUTHORIZED − states that user is using invapd or wrong authentication token. |
7 |
403 FORBIDDEN − states that the user is not having access to the method being used. For example, Delete access without admin rights. |
8 |
404 NOT FOUND − states that the method is not available. |
9 |
409 CONFLICT − states confpct situation while executing the method. For example, adding duppcate entry. |
10 |
500 INTERNAL SERVER ERROR − states that the server has thrown some exception while executing the method. |