0

I'm currently working on a new REST Web Service, developed in Django REST Framework, and while defining URLs I had a doubt about it's security. Following the standards that defined GET method for list data from a database, I doesn't understand if this can be a safe method to bring data.

Imagine this situation:

I access an URL /patients defined to return a list of patients. This list is not public and can only be requested by authorized users. Since not all users can see all patients, I create an hash code that works as key, allowing to list patients for that specific user. If no hash code provide, the method returns an 403 forbiden.

It work something like this: /patients/HASHCODE

Since my hash code is request in the URL and not inside of the body of HTTP message, like it would be if done by POST method, this looks unsafe me. I know that SSL can hide some information of requests, but not about a GET request. And of course this hash should not be visible for no one.

Can I say this is a safe method to access my API? If not, how should I implement this?

Matheus Hernandes
  • 629
  • 1
  • 6
  • 25

1 Answers1

3

First of all, you must use HTTPS, as it ensures that both body and headers will be encrypted. Pick a certificate issued by a certification authority and stay away from self-signed certificates.

If what you call hash means an access token, then it belongs to the Authorization header with the Bearer authentication scheme (refer to this answer for details). Alternatively, you may want to use a cookie with both HttpOnly and Secure flags set.

I also advise you to look into some sort of authorization mechanism for your application: according to the user roles or authorities, retrieve the data they can access or refuse the request. It's very likely your web framework already provides you some sort for authorization mechanism. Let me also highlight that you should't write your own security-related stuff (unless you really know what your are doing).

Any sort of sensitive information (such as credentials, access tokens, you name it) must never ever be sent in the URL: The requested URL may be logged by servers and proxies; If the URL is requested by a browser, the URL goes to the browser history. You surely want to avoid that.

GET is meant for data retrieval while POST is kinda a catch all verb, that is, the representation sent in the payload will be processed according to the resource's own specific semantics). If you need to send sensitive information to the server, I would advise you to use POST, sending any sensitive data in payload which will be encrypted over HTTPS.

Community
  • 1
  • 1
cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • I have just another question: usually in REST applications we use GET for list and retrieve information. Following your advises, for sensitive information i should use POST for these methods? – Matheus Hernandes May 23 '19 at 01:07
  • @MatheusHernandes I've updated my answer with details on this. – cassiomolin May 23 '19 at 01:18
  • 1
    I thought I were doing something wrong, very thanks for the hand. – Matheus Hernandes May 23 '19 at 01:24
  • 1
    that `HTTPS` would expose requested `URL` is certainly wrong; only the `IP` gets exposed... and for patient information there are even specific regulations to follow, eg. https://www.hhs.gov/hipaa/index.html (better consider having the code being audited sooner or later before writing the first line). – Martin Zeitler May 23 '19 at 01:26
  • @MatheusHernandes Again: If what you call _hash_ is an _access token_ and it's sent it in the URL, then you are not in the right path... – cassiomolin May 23 '19 at 01:30
  • @cassiomolin where exactly is the difference, in between the URL and the request header... security-wise I see none. while for proper security, browser smart-code events could be utilized - simply because the risk of having software-only solution is that an URL can be shared, tokens can be shared ...while a FIPS-201-2 compliant smart-card requires some more effort to duplicate (and in a hospital, the keyboards often have those readers embedded). – Martin Zeitler May 23 '19 at 01:40
  • @cassiomolin this hash is something I was trying to do, to define what patients the user can see information, not authentication tokens or anything like this. Surely is not right, I have to find a better way to control what data the users can see. It's been very tricky to find a way do to that even with Django. – Matheus Hernandes May 23 '19 at 01:42
  • 1
    @MatheusHernandes on [security.stackexchange.com](https://security.stackexchange.com) you might get more qualified answers concerning which security standards to apply in a hospital environment... "somehow it works" might not suffice there (unless it might be an inventory system for hardware upgrades, as I've once wrote it)... the fines are usually high for breaching HIPAA (or alike) regulations, because of the sensitivity of the information. reading them once might help a lot when it comes to decisions - because that legal framework is the only framework which matters there. – Martin Zeitler May 23 '19 at 02:05