REST is a modern architectural style that defines a new approach to designing web services. Unlike its predecessors, HTTP and SOA, it’s not a protocol (read: a strict set of rules), but rather a number of recommendations and best practices of how web services should communicate to each other and how to secure REST services. The services that are developed in compliance with the best REST practices are called “RESTful web services.”
Security is a cornerstone of RESTful web services. One of the ways to enable it is a proper in-built user authentication and authorization mechanism.
There are lots of ways to implement user authentication and authorization within the RESTful web services. The main approaches (or standards) we are going to talk about today are the following:
- Basic authentication
- OAuth 2.0
- OAuth 2.0 + JWT
To make our discussion more specific, let’s assume that we have microservices on the backend of our application, and upon each user request, several services at the backend have to be called to collect the requested data. Thus, we will examine each standard not only in terms of security issues, but also in the context of additional traffic and server load they generate. Here we go.
What is a RESTful API and how does it work?
Let’s start with a definition of API itself. API is short for an Application Programming Interface. It means a set of operations that allow software parts to communicate with each other. An API provides developers with building blocks so they can build a proper solution. Depending on the specifications, APIs may vary and developers can use only parts that they need.
Now we define RESTful. REpresentational State Transfer (or REST) is an architectural style that guides developers on the way to creating a web service. There are six main constraints that REST applies:
- Uniform Interface
- Stateless
- Layered System
- Client-Server
- Cacheable
- Code on Demand
Thus, a RESTful API is a programming interface that follows the REST principles and provides communication between RESTful web services.
Common API Security Challenges
Since nothing is perfect in this world, security implementation in RESTful web services has some points to consider before starting working on them.
DOS attacks
A Denial of Service (or DOS) attack implies that an attacker sends an overwhelming number of messages with requests that have an invalid return address. RESTful API can easily shut down because of it.
Despite the fact that your API may not be revealed to the public, it still can suffer from DOS attacks. Since such an attack can damage the access to the API for everyone—your clients, partners, apps, devices, and more), you should pay a lot of attention to security.
Farming
There are plenty of websites that use information from other sources to show the client the best buying deals, for example. To do that, they may take advantage of other services’ APIs to accumulate information. That is what farming looks like.
When you implement authentication, it prevents your API from exploitation and overloading.
Man-In-The-Middle
When this type of attack happens, a hacker is located right between a sender and a recipient. It can be a transparent attack or the hacker can pretend to be one of the parties. The final goal is to get access to unencrypted information.
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols can save the day here. The right configuration of TLS/SSL can provide secure and clear communication between a client and a server.
Read more: https://yellow.systems/blog/rest-security-basics
