I am developing an Android application that communicates with a rails server. I don't want to ignore the authenticity_token but I also don't think asking for it is the right answer. What can be done to protect my POST requests?
Asked
Active
Viewed 897 times
1 Answers
5
It's uncommon to require authenticity tokens when you use an API, as you would for an Android application; this is because authenticity tokens are generated to protect against cross-site request forgery attacks, which are only possible with a session... and usually if you're accessing an API you don't (or can't) use a session. So I wouldn't be too concerned about generating authenticity tokens here.
To protect your POSTs -- or indeed any request -- there are a number of options available to you. Simplest would be to authenticate each request with HTTP basic, and more complicated but arguably more secure would be to implement OAuth. Either way would provide some security for people using your app and connecting to your website.
Veraticus
- 15,944
- 3
- 41
- 45
-
Thanks for your fast answer. You just confirmed my predictions. It's a school project so security is not the main issue. I'm using Devise so I'll try to work with that to encrypt my communications. Just wanted to make sure I wasn't missing something. Thanks once again. – jmpenetra Apr 26 '12 at 16:17
-
1No problem! If my answer helped, mark it as the correct one; then people will be more likely to help you on Stackoverflow in the future. – Veraticus Apr 26 '12 at 16:19
-
I've searched about API implementation in these days, of course it's a good topic for another question...suppose I require HTTP basic authentication for an API call and the application is using even HTTPS, there is always the problem the password is somewhat in clear in the device, is it right? – Aldo 'xoen' Giambelluca Apr 26 '12 at 16:47