Geek asks and answers

Is HTTPS relevant for REST API web services?

I have an HTTP REST API in PHP used by an iPhone application.

Some web services from this API are protected by authenticating the user in the credentials of the HTTP request, but I want to avoid man-in-the-middle attacks by providing fully encrypted requests.

I am not very versed in security issues, and I could not find a clear answer to my question anywhere:

Is HTTPS relevant for STATELESS REST API?

From what I understood, HTTPS does 2 things:

  • encrypt session
  • prove to the client that the server he is talking to is secure

So, at first glance, it does not respond to my need, which is to encrypt data between my server and the application, because the API does not use sessions. But I still have doubts.

Can anyone understand this for me?

My other solution would be to encrypt the request data using a public / private key system. Would be better?

Thank!

+3
source share
4 answers

Yes it is. HTTPS has nothing to do with the application; it is a tunneling protocol. Although TLS itself is a stateful protocol, the HTTP part passing through it is not.

As with VPN, you can still use the REST app. TLS simply configures and automatically breaks the tunnel for each connection.

However, there is value in using the HTTP and HTTPS pipelining aspects to increase throughput over TLS connections, but that the performance tuning aspect is not related to the application itself.

+2

HTTPS , , - . , OAuth 2 HTTPS?

, , API .

"--" "" HTTP- , , . , HTTPS. , , OAuth 1 (not 2).

+2

SSL, http://www.jcryption.org/ , , , , . jquery, . , . .

0

Definitely use HTTPS if the data is sensitive - it encrypts the transport layer you are looking for. As already stated, oAuth 2.0 calls it essentially. You can potentially avoid the person in the middle by hashing / signing, as in oAuth 1.0, and avoid using SSL, but the body is still in a clear state (you avoided sending the API credentials in a clear, but not in the body).

0
source

More articles:


All Articles