RESTful Web Services - Security



As RESTful Web Services work with HTTP URL Paths, it is very important to safeguard a RESTful Web Service in the same manner as a website is secured.

Following are the best practices to be adhered to while designing a RESTful Web Service −

  • Validation − Validate all inputs on the server. Protect your server against SQL or NoSQL injection attacks.

  • Session Based Authentication − Use session based authentication to authenticate a user whenever a request is made to a Web Service method.

  • No Sensitive Data in the URL − Never use username, password or session token in a URL, these values should be passed to Web Service via the POST method.

  • Restriction on Method Execution − Allow restricted use of methods like GET, POST and DELETE methods. The GET method should not be able to delete data.

  • Validate Malformed XML/JSON − Check for well-formed input passed to a web service method.

  • Throw generic Error Messages − A web service method should use HTTP error messages like 403 to show access forbidden, etc.

HTTP Code

Sr.No. HTTP Code & Description

1

200

OK − shows success.

2

201

CREATED − when a resource is successfully created using POST or PUT request. Returns link to the newly created resource using the location header.

3

204

NO CONTENT − when response body is empty. For example, a DELETE request.

4

304

NOT MODIFIED − used to reduce network bandwidth usage in case of conditional GET requests. Response body should be empty. Headers should have date, location, etc.

5

400

BAD REQUEST − states that an invalid input is provided. For example, validation error, missing data.

6

401

UNAUTHORIZED − states that user is using invalid or wrong authentication token.

7

403

FORBIDDEN − states that the user is not having access to the method being used. For example, Delete access without admin rights.

8

404

NOT FOUND − states that the method is not available.

9

409

CONFLICT − states conflict situation while executing the method. For example, adding duplicate entry.

10

500

INTERNAL SERVER ERROR − states that the server has thrown some exception while executing the method.

Advertisements