-1

I have developed WCF(RestService) and now I am concerned about its security.

With the help of fiddler I got all request, response parameters of particular service. As example,

URL of service : ../RemoteService/WebService.svc/Login
Headers : application/json
Body : 
{
"apiSecretKey":"sda564456asdasda45sdsad452635",
"userName":"abc@test.com",
"password":"test@123"
}

Api key is main concern because whole developed service run on this and if any one get this key then that person can access data and use the service.

How will I more secure my request Data?

Please suggest.

Hrdk
  • 83
  • 1
  • 8

2 Answers2

2

You didn't describe your architecture, but this is a common problem. If you search the web for something like "secure api call with token from web application", you'll find that you should not call the API from your web page directly, as for this you indeed need to send your token to the user, which can then reuse the token for malicious purposes.

You need to "proxy" the API calls from your site, where you use a login session or separate token for authenticating and authorizing the user. So:

[Web browser] <-- session key or token --> [Web server] <-- token --> [API server]

Related reading: Programmers.SE: Securing ajax calls to rest api, REST API Token-based Authentication, REST authentication and exposing the API key

Community
  • 1
  • 1
CodeCaster
  • 147,647
  • 23
  • 218
  • 272
  • Thanks for your answer. I am using service for mobile app and is there any examples for secure this api call ? – Hrdk Aug 19 '15 at 11:47
  • You **cannot** secure this API call if you're going to call it from the client. You cannot trust any client. You can't prevent someone from installing your app on an emulator and inspecting the network traffic. – CodeCaster Aug 19 '15 at 12:04
  • I have found about token generation(JWT) but how it implement it in actual service I can't get it properly if you have any idea or examples then please suggest for WCF service – Hrdk Aug 19 '15 at 12:24
1

If the user is providing that data himself, then using https to secure the WCF URI is the way to go. Fiddler can read https only on your machine, and only with your permission. https will protect the data from prying eyes in the real world (well, as much as anything can.)

Also, if this is a service being called by a finite set of users (Business to Business, as opposed to Business to Consumer), you can restrict access to individual IP addresses through your firewall.

Clay Sills
  • 235
  • 1
  • 9