REST vs Security

Question

REST vs Security

A few days ago, I came across news about how hackers stole 200,000+ Citi accounts by simply changing the numbers in the URL. It seems that the developers compromised the security for RESTful, and also did not bother to save the session identifier instead of userId. I am also working on a product where security is a major concern, so I wonder if REST should be avoided and mail requests everywhere in this case? or am i missing something important in REST?

+3

security rest

r15habh Jun 16 '11 at 6:53

source share

7 answers

Nathan · Answer 1 · 2011-06-16T06:56:57+0000

Do not blame the model for poor implementation, but learn from the mistakes of others.

This is my (short) opinion, but I'm sure the best answers will be added :)

(P.S. - using Post )

Ramesh N · Answer 2 · 2011-06-17T07:50:27+0000

, , REST, SOAP Web. , .

. , , . URL- :

http://example.com/site/orders?orderId=1234

, ( ), orderId - OrderId, , . - , (SQL ..) , (AND WHERE SQL).

, , URL-, .

stand · Answer 3 · 2011-06-16T18:48:53+0000

, GET POST. GET, [ User-Agent, ]:

GET /Testing/?foo=bar&submit=submit HTTP/1.1
Host: localhost
User-Agent: ...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost/Testing/demoform.html

, POST:

POST /Testing/ HTTP/1.1
Host: localhost
User-Agent: ...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost/Testing/demoform.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
foo=bar&submit=submit

, , , " ", .

GET , foo = bar submit = submit . POST , , ... ! foo = bar submit = submit. .

. ?foo=bar&submit=submit, - . , , , . - , URL- , ; .

- , . , ( https SSL/TLS). , . - , , , , . , , - .

REST. , , HTTP, , /, .

foxy · Answer 4 · 2011-06-16T07:04:38+0000

POST , RESTful, , GET.

, . .

: GET- , , , , - rouge http://yourbank.com/actions/withdraw/300USD, URL- , . , POST.

, , .

Darrel Miller · Answer 5 · 2011-06-16T11:29:13+0000

POST GET - " ". , , HTTP, POST.

, , .

, , URL-, REST .

, , REST, HTTPS - , .

meta · Answer 6 · 2013-01-08T12:05:18+0000

, REST - .

, , "" - - - . , -, REST.

- , - REST.

Damon · Answer 7 · 2011-06-16T06:58:03+0000

, https:// POST, http:// GET.

, , .

(... and refrain from error when authenticating with https://and switching to http://later, which was the "de facto standard", until a few months ago when someone published a tool that made the obvious)

REST vs Security

More articles: