Critical Information In REST URI

Question

I am developing a Spring MVC web service. I am trying to use best practices of REST URI design. For example for getting an account the URI will be

GET   http://blablabla.com/api/accounts/123

My question is what if the account number/id is critical information and must not be in URI. What is the best approach of URI design if the id that defines the resource is a critical information of a system. Should web service get the id in request header or body? Or hash the id and contain it in URI?

Thanks in advance.

score 1 · Accepted Answer · edited May 23 '17 at 12:28

1

If by "critical" you mean sensitive/secure, I'd keep URI design AS IS, and put whole session under HTTPS, that way it would be much harder for someone to eavesdrop on the URL itself. See for instance this question

If you mean that information is so sensitive that you don't even trust access logs in your own datacenter, then you have no choice other than put it into the body of the request. Headers are not for useful payload.

edited May 23 '17 at 12:28

Community

1
1

answered Feb 21 '14 at 08:40

Igor Katkov

6,290
1
16
17

But if you do this you are no longer using REST – Software Engineer Feb 21 '14 at 16:42
And HTTPS isn't 'that' secure, btw. – Software Engineer Feb 21 '14 at 16:42

score 0 · Answer 2 · answered Feb 21 '14 at 08:38

0

Use TLS and authentication and your pain will go away.

answered Feb 21 '14 at 08:38

Michael-O

18,123
6
55
121

Critical Information In REST URI

2 Answers2