Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your REST API

Chris Cornutt
November 08, 2013

Securing your REST API

With APIs becoming the de-facto standard for getting things done on the web, it's more important than ever to provide the right kind of security for your application. The options can be overwhelming with things like OAuth, signed queries, shared certificates and token authentication just to name a few. I'll go through these and some of the questions you'll need to ask as you think about protecting your API and the data that lies within.

@ True North PHP 2013

Chris Cornutt

November 08, 2013
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. WWW-Authenticate: Basic realm=”Great White North” HTTP/1.0 401 Unauthorized Authorization: Basic

    username:password <?php $auth = base64_encode($user.’:’.$pass); $header = ‘Authorization: Basic ‘.$auth; ?> Friday, November 8, 2013
  2. WWW-Authenticate: Digest realm=”Great White North”, nonce=”d39175b3e4a2538a01e4afe863092621”, opaque=”ef5b7a6b9f8460ba7c74589a9d7be07c” HTTP/1.0 401 Unauthorized

    Authorization: Digest username=”snowman”, realm=”Great White North”, nonce=”d39175b3e4a2538a01e4afe863092621”, opaque=”ef5b7a6b9f8460ba7c74589a9d7be07c”, uri=”http://foo.com/bar/baz”, response=$response Friday, November 8, 2013
  3. <?php $hash1 = md5($username.’:’.$realm.’:’.$password); $hash2 = md5($requestMethod.’:’.$requestUri); $response = md5($hash1.’:’.$nonce.’:’.$hash2);

    $header = ‘Authorization: Digest ‘ .‘username=”’.$username.’” ’ .‘realm=”’.$realm.’” ‘ .‘nonce=”’.$nonce.’” ‘ .‘opaque=”’.$opaque.’” ‘ .‘uri=”’.$uri.’” ‘ .‘response=”’.$response.’”’; ?> Friday, November 8, 2013
  4. <?php $oauth = new OAuth($consumerKey, $secretKey); $token = $oauth->getRequestToken( $requestUrl,

    $callbackUrl ); header( ‘Location: ‘.$authorizeUrl .’?token=’.$token[‘oauth_token’] ); ?> Friday, November 8, 2013
  5. Email URL Name Login IP HTML Num Alpha Bool Regex

    Patterns Friday, November 8, 2013
  6. Yours: GET /user/1/link/42 Good guesses: GET /user/1/link/52 PUT /user/1/link/42 Alternative:

    GET /user/[GUID #1]/link/[GUID #2] GET /user/[username] Friday, November 8, 2013
  7. { “success”: false, “error”: { “code”: 8675309 “message”: “Error in

    request”, “url”: “http://oursite.com/error/8675309” } } Friday, November 8, 2013
  8. <?php $public = ‘1c53048f8bfbd5cced1aa2d1d5cfd788b1e3e71c’; $private = ‘0f079851e936af2075bf40b1d436c287d943c29c’; $signature = hash_hmac(

    ‘sha256’, $response.time(), $private ); $headers[] = ‘X-Auth-Public: ’.$public; $headers[] = ‘X-Auth-Signature: ‘.$signature; ?> Friday, November 8, 2013
  9. <!DOCTYPE root [ <!ENTITY one “one”> <!ENTITY two “&one;&one;&one;&one;”> <!ENTITY

    three “&two;&two;&two;&two;”> ]> <test> <testing>&three;</testing> </test> Friday, November 8, 2013