Collaborate Disseminate
I am making an API that uses the following steps for encryption. All of this is implemented using libsodium.
First of all the client has to make an initial request to the server for getting his public key and client token, with that key th… Continue reading RestApi Libsodium SealedBox end-to-end request encryption scheme
I would like to use digital signatures to secure access to a RESTful API, exactly as described here under "Message signing using Digital Signature". Extract:
When signing, the sender uses their private key to write message’s si… Continue reading Are there any identity providers which support securing RESTful interfaces using digital signature?
I was reading the OWASP Cheat Sheet Series, specifically their cheat sheet for REST Security and one of the points they had under the section for API Keys was:
Do not rely exclusively on API keys to protect sensitive, critical or high-val… Continue reading What else can be used instead of an API Key to protect resources in a REST API as is implied by OWASP?
I have been reading about authentication and authorization for the past few days and I still have not figured out what would be a reasonable way to deal with this for both mobile and web applications.
From what I read, when it comes to a w… Continue reading Secure REST API for mobile and web application usage
For my learning, I have written a simple Java client code using Spring RestTemplate to access a sample Rest endpoint. To make it work, I have resolved multiple issues like
java.security.cert.CertificateException: No subject alternative DNS… Continue reading What is the need of keystore in accessing a test endpoint? [migrated]
I want to build a REST API where applications can authenticate using an OAuth2 Bearer Token, so they get access only to resources related to one user or they can access by itself accessing resources for their own application or general res… Continue reading Secure a REST API
I am participating in a project that involves a JavaScript SPA that provides a service and is intended to interact via REST APIs with one of our servers. Initially, I proposed to work on the two entities as two separate projects; specifica… Continue reading Is splitting a REST API server from a Web server considered a security threat?
During my IT school years, I was told that including rows identifiers from a database in the resource URL, in the context of a REST API, is a bad practice. To my understanding, the rationale behind this statement is that exposing technical… Continue reading How to not use database identifiers in a URL in the context of a REST API
In the Aws scheme of signing a http request with HMAC-SHA Signature you must use a secret key. When wanting to allow access to your API from a third party ,do you have to share the secret key with them too? If yes,how do you distribute the… Continue reading AWS hmac requires the distribution of secret key? [closed]
I’m in the process of developing a B2B (business-to-business) application. I’ve implemented JWT auth, and it is working as expected. Right now the authentication functions as if it were a B2C (business-to-customer) app.
I’m trying to deter… Continue reading B2B authentication best practices