Collaborate Disseminate
I’m a newbie when it comes to information security. So pardon me if the solution can be found at page 12 of any introductory text.
I have an express server and two android apps(for clients and admin). The installed apps will… Continue reading Verifying the authenticity of data coming to a server
TL;DR:
Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application uses frameworks to whitelist allowed request paths and methods.
In other w… Continue reading Why should someone block all methods other than GET and POST in a RESTful application?
I’m currently working on building a rest service that other applications which we create will utilize (from backend application servers). My current process uses a single private key value for authenticating and authorizing a… Continue reading Securing RESTful APIs with Private Keys
I have a PHP file with JWT token APi->(https://github.com/durgesh-sahani/restapi-jwt-php-mysql/tree/master/jwt-api) my problem, this Api d’ont have $_POST[] method. And all method delete,insert,update in 1 file php and all is… Continue reading PHP JWT (Json Web Token) implementation in Android (Retrofit)
I am developing a service with an associated REST API for customers (companies which have their own websites) to use. In other words, one of my customers would typically make the REST call directly from their website (i.e. t… Continue reading How can I secure a REST service intended to be used by my customers’ customers via their public website?
Let’s assume there is a website with an API that supports the following REST call in which authenticated user Alice can send registered user Bob a message to his cell phone which he registered on our site (hypothetically spe… Continue reading Sensitive data enumeration via HTTP error codes
I’m thinking about an authentication sheme of a REST API in a setting where the only thing the server stores about a client, is their public key (the asymmetric encryption scheme should not matter). So I’ve come up with a scheme where the … Continue reading Bloom filter to prevent replay attacks in signed HTTP requests
Recently a situation arose where a client wants a public API that doesn’t require registration or login by the user (no password). The security team has identified that the server-side API needs to implement an authentication… Continue reading Are REST Authentication schemes that expose shared key protected against reverse proxies acting as bad user agents?
I’m currently in the process of writing a connector to an API. It’s for an automated shipping system and I’m required to listen to events from that given API, sent via Webhooks.
The API owner does not add Authentication hea… Continue reading Deal with API Webhooks that refuses authenticating itself
Try to expose protected REST API without exposing credentials in the Client (JS Code).
All solutions that come to my mind, can be reversed and the Attacker can
reconstruct them.
Are there any proven solutions? Best practic… Continue reading Exposing protected API without hardcoding credentials in the Client (JS)