1

I am creating a REST API. Basic idea is to send data to a server and the server gives me some other corresponding data in return. I want to implement this with SSL. I need to have an encrypted connection between client and server. Which is the best REST framework in python to achieve this?

phanny
  • 577
  • 1
  • 6
  • 27
  • try [djangorestframework](http://www.django-rest-framework.org/). SSL will be implemented besides rest apis. So what does ssl has to do with rest framework? Just a question in case if I am missing something. – gautamaggarwal Feb 23 '18 at 06:35
  • If my project is in Flask and has to send the data received from the server to it. Can I talk to Flask irrespective of which framework I use for REST API? – phanny Feb 23 '18 at 06:42
  • I think you are talking about server to server communication here. I am guessing there are two platforms you are talking about. One is on flask that is some website that is consuming data and other is rest api for which you want to learn about stack for. Even in that case your rest apis will be on a server as microservice that can communicate with any other stack if they agree on a common protocol for sharing data like json, xml or yaml. In that case it does not matter what your rest apis are built in and ssl has nothing to do with framework as far as I know. – gautamaggarwal Feb 23 '18 at 06:49

2 Answers2

3

You can choose any framework to develop your API, if you want SSL on your API endpoints you need to setup SSL with the Web server that is hosting your application

You can obtain a free SSL cert using Let's encrypt. You will however need a domain in order to be able to get a valid SSL certificate.

SSL connection between client and server does not depend on the framework you choose. Web Servers like Apache HTTPD and Nginx act as the public facing reverse proxy to your python web application. Configuring SSL with your webserver will give you encrypted communication between client and server

0xtvarun
  • 698
  • 6
  • 18
  • Why do we need a public facing reverse proxy for the python web application? If I have an application with flask or Django, I understand that I need to configure SSL with it. Isn't this all? So where does the Nginx or Apache come into the picture? – phanny Feb 26 '18 at 10:17
  • Sorry for the multiple edits. Your earlier comment was pretty useful. I would be glad if you can post it again. @0xtvarun – phanny Feb 26 '18 at 10:20
  • The comment looked out of context once you deleted yours, hence I deleted it. Anyway like I said, if you are making calls from the client side you dont need a REST framework, any HTTP library should work – 0xtvarun Feb 26 '18 at 10:25
  • For the other question you can refer to these answers https://stackoverflow.com/a/32042429/4365969, https://serverfault.com/a/590833/302045 – 0xtvarun Feb 26 '18 at 10:25
  • Thank You. I got a pretty clear idea of all this. So, if I understood it correctly I need to configure SSL with Django server(Using neither nginx nor Apache) if I have a Django application. This will make my entire website secured. But, what if I am talking to multiple servers for data and I want to secure only one particular connection with one particular server. – phanny Feb 26 '18 at 10:33
  • If you want SSL you need to configure it with the Web Server not Django. When you say talking to multiple server, does that mean that you are calling it from the client or does the server make the request – 0xtvarun Feb 26 '18 at 10:36
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/165811/discussion-between-phanny-and-0xtvarun). – phanny Feb 26 '18 at 10:36
0

On assumption that you are talking about communication between REST Apis and some other stack like flask(A different server).

Rest apis can be used to communicate data with any type of platform as long as they agree on a common protocol to share data.

Data can be shared using xml, yaml or json. Your rest apis can be on any stack you like. Architecture will be something like:-

Your main site(microservice or monolithic) <=> REST Apis(microservices)

You can use djangorestframework or any other you prefer.

gautamaggarwal
  • 341
  • 2
  • 11
  • Thanks for the information. I(client) want to create an encrypted connection initially and then start communication with the server. So how do I establish that initial encrypted connection? – phanny Mar 05 '18 at 06:58
  • Well Create a dummy api first that does not expose any sensitive data from the REST api server. Then setup the ssl using Certbot or via manual configurations. Ssl encrypt your communication and are very safe. Then do a test by the hitting the api on your rest server. Then you can proceed with developing other apis. Did I answer your question? I hope so! – gautamaggarwal Mar 05 '18 at 07:35
  • I do have a dummy API. Everything works fine with `requests` but I want to have an alive encrypted session. I think `requests` creates and kills the session. I don't want this to happen. Also, how do I send data by encrypting it so that the server can decrypt it? Doesn't the client have to generate a private key? I don't see all this happening with `requests`. Is this really not happening with `requests` or is it just abstracted from me? – phanny Mar 05 '18 at 07:53
  • You are mixing a lot of stuff bro. You need to read. You want REST apis and then a session? Sessions are against REST. Do you see HTTPS in your requests? If yes then your data is getting encrypted and decrypted. You dont need to worry about it. SSL handles encryption and decryption on its own and it is abstracted from you. No code need to be written to handle that unless or until you mean something else by encryption. Do you want to do additional encryption of request data? If yes read about JWT if you need. Besides that if you want to handle login via JWT, You will need to generate a token. – gautamaggarwal Mar 05 '18 at 08:01
  • and pass that token to the client(web browser or app), That token will be sent in each request from the client and user will be considered logged in as long as the token is valid and authenticates the request. Remember, Authentication happens at each request. Also make sure the token is time limited else there is danger of replay attack but as long as ssl is there, there are less chances of it happening. Sessions are against REST as REST is meant to be stateless and each request must have data it needs to serve the request. – gautamaggarwal Mar 05 '18 at 08:04