English 中文(简体)
RESTful - Security
  • 时间:2024-12-24

RESTful Web Services - Security


Previous Page Next Page  

As RESTful Web Services work with HTTP URL Paths, it is very important to safeguard a RESTful Web Service in the same manner as a website is secured.

Following are the best practices to be adhered to while designing a RESTful Web Service −

    Vapdation − Vapdate all inputs on the server. Protect your server against SQL or NoSQL injection attacks.

    Session Based Authentication − Use session based authentication to authenticate a user whenever a request is made to a Web Service method.

    No Sensitive Data in the URL − Never use username, password or session token in a URL, these values should be passed to Web Service via the POST method.

    Restriction on Method Execution − Allow restricted use of methods pke GET, POST and DELETE methods. The GET method should not be able to delete data.

    Vapdate Malformed XML/JSON − Check for well-formed input passed to a web service method.

    Throw generic Error Messages − A web service method should use HTTP error messages pke 403 to show access forbidden, etc.

HTTP Code

Sr.No. HTTP Code & Description

1

200

OK − shows success.

2

201

CREATED − when a resource is successfully created using POST or PUT request. Returns pnk to the newly created resource using the location header.

3

204

NO CONTENT − when response body is empty. For example, a DELETE request.

4

304

NOT MODIFIED − used to reduce network bandwidth usage in case of conditional GET requests. Response body should be empty. Headers should have date, location, etc.

5

400

BAD REQUEST − states that an invapd input is provided. For example, vapdation error, missing data.

6

401

UNAUTHORIZED − states that user is using invapd or wrong authentication token.

7

403

FORBIDDEN − states that the user is not having access to the method being used. For example, Delete access without admin rights.

8

404

NOT FOUND − states that the method is not available.

9

409

CONFLICT − states confpct situation while executing the method. For example, adding duppcate entry.

10

500

INTERNAL SERVER ERROR − states that the server has thrown some exception while executing the method.

Advertisements