2

I'm doing a basic RESTful API, I have doubts about security.

I implemented a basic RESTful API in PHP with OAuth2 security system and it works on HTTP.

If I have my frontend (maybe an Angular2 app) that consumes some methods of my API (mainly get methods). This frontend auth against OAuth2 sending headers user, password, and API token and the API responds with token to use for it. Can this be captured by a simple user of my frontend and used?

Is there way to protect the API without HTTPS?

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
codek
  • 67
  • 8
  • 3
    I would strongly encourage you to use https for every single request you are sending usernames and passwords in. Nowadays there are no cons for using those connections as they don't use that much server resources – rrr Dec 31 '16 at 13:28
  • You can share an key with your partner and then validate that with your configured one – Nishant Nair Dec 31 '16 at 13:36
  • @NishantNair what partner? Share it how? – jonrsharpe Dec 31 '16 at 13:46
  • use an key in ecrypted format and pass it through get params and decode it at server level and match it with the original one – Nishant Nair Dec 31 '16 at 13:48
  • @NishantNair and how does that help, exactly? A MitM can use the encrypted key just as well as an unencrypted one. – jonrsharpe Dec 31 '16 at 13:58
  • With LetsEncrypt HTTPS is free, it's however not a silver bullet that will protect the API against everything. But being free there is no reason to run anything without it anymore, especially not something that requires authentication – JimL Dec 31 '16 at 14:01
  • @jonrsharpe we can implement our own encrypt mechanism for passing it on web. So that if Mitm spoofs the url in middle then we can restrict the access. – Nishant Nair Dec 31 '16 at 14:05
  • @NishantNair ["roll your own crypto"](http://security.stackexchange.com/q/18197/72084) is a **famously awful** approach. Also it doesn't matter *how* the key is encrypted, because the MitM *doesn't need to decrypt it*, just pass it along with their fake request. That's why you want to use HTTPS, it makes it much harder to get in the middle. – jonrsharpe Dec 31 '16 at 14:06
  • @jonrsharpe having an check with the encrypted key with specific sequence can be implemented so that it cannot be easily cracked – Nishant Nair Dec 31 '16 at 14:11

2 Answers2

1

There is no way to protect an API (or a website, for that matter), without using HTTPs.

Using HTTPs is absolutely mandatory if you are running any sort of service that users need to log into.

The reason why is that, regardless of what security protocol you may be using (OAuth2, Basic Auth, SAML, etc.) -- anyone on the same WiFi network as the end user, anyone who might be able to view network traffic between the user and your server, or any malicious applications on YOUR servers on the CLIENT'S computer that can view network traffic can view plain text credentials and tokens.

This will always lead to hacks / etc.

If you're trying to avoid HTTPs for some reason, you really shouldn't! You can get free certificates through Let's Encrypt, as well as Amazon, and other providers.

If you're looking for reasons to keep using HTTP instead of HTTPS, you might want to read this great article on the subject: Why HTTP is Sometimes Better than HTTPS. =)

rdegges
  • 32,786
  • 20
  • 85
  • 109
0

OAuth2 requires HTTPS because it is designed to delegate security into the hands of a lower layer, thus no longer requiring clients to have cryptography libraries on hand; see this answer for more details.

If HTTPS availability on the server cannot be guaranteed, OAuth1.0a may be more useful in your case.

Community
  • 1
  • 1
tyteen4a03
  • 1,812
  • 24
  • 45