0

What is the industry best practice when it comes to GET or DELETE operations which need a resource identifier to be sent but that identifier needs to be secured and therefore can not be sent in as a path parameter.

For example let's say I have an API for giftcards. GET: v1/giftcards/{id} and DELETE v1/giftcards/{id}

Sending the giftcard id in the path will expose it so I want to know what is the best practice for REST Apis in these cases? Should the resource identifier be sent in as a header (even though this is not meta data)? Or should this endpoint be converted to a POST request?

edkohls
  • 1
  • Aren't you better off just ensuring that the ID is encrypted? – strickt01 Jul 23 '19 at 23:11
  • Consider https://stackoverflow.com/questions/8858102/with-https-are-the-url-and-the-request-headers-protected-as-the-request-body-is. The path is not more "exposed" than the headers or the body. – tkruse Jul 23 '19 at 23:41

1 Answers1

0

See https://security.stackexchange.com/questions/144891/hiding-sensitive-data-in-uris

Basically you have three options:
- encrypt id with public key
- move id into header
- move id into body

chen
  • 1
  • Are there any public APIs that can be followed as an example for having resource identifiers in the header? – edkohls Jul 23 '19 at 23:02