0

This may be a stupid question, but how can one write a secure RESTful API? If I want to ensure that the client is a valid user, would it be unwise to send a post request with the following object?

{
  "user": "some_user",
  "password": "some_password"
  "field1": "some_data",
  "field2": "some_more_data"
}

I currently hesitate to do something like that. Doesn't that reveal the username and password in plain text to everyone on the network and everything between the client and the server? Should I use SSL or something similar? Are there any RESTful security readings you have found valuable?

Thanks for the help.

davenportw15
  • 157
  • 2
  • 10
  • I don't think it's a good idea. Never send a response with sensitive data. Read this http://stackoverflow.com/a/430189/1055987 – JFK Oct 01 '14 at 23:12
  • JWT, look at http://jwt.io/ and http://jpadilla.com/post/73791304724/auth-with-json-web-tokens – vzamanillo Oct 02 '14 at 08:34

1 Answers1

0

For a RESTful API is not recommended to pass the credentials in the JSON body in every request, instead you use the headers to authenticate each call. For further options on how to secure your API you can check this blog, full disclosure I work for that company, but since it's what we do, I think is a good resource.

jbarrueta
  • 4,907
  • 2
  • 20
  • 21