4

I'm putting together read and write methods to my database and exposing them via URL (I'm using CodeIgniter framework and using URL segments to pass parameters to these methods). The original idea was to have my Ajax script call these methods. However, now I am thinking I could potentially expose these methods to any developer.

What should I do to make sure only authorized developers use my API? I'm thinking they should pass an API key and possibly password to each method call. If I were to provide them with such details, would that be secure enough?

Also, I'm thinking that I should support POST instead of GET as some of the required parameters may not fit in nicely with URL segments. Thoughts?

StackOverflowNewbie
  • 39,403
  • 111
  • 277
  • 441

3 Answers3

2

First: require HTTPS.

HTTPS ensures that a secure channel is established before any request data is sent. Yes, before any request data is sent: URL, headers, cookies, GET or POST parameters... anything. This means that you can use simple methods such as HTTP Basic authentication over HTTPS without putting the user's credentials at risk.

This is really not negotiable, unless the data you are passing over the API is truly public. If you aren't using HTTPS, then any communication with your API (including HTTP Basic credentials) can be sniffed in plain text.

The only reason major sites (like Facebook) don't use HTTPS is because it gets expensive at massive scale.

If you absolutely can't run HTTPS, then you should look into OAuth, which is making strides in API authentication in exactly this situation. With OAuth you can authenticate users while keeping credentials secret over unencrypted channels.

Second: authentication is not authorization.

Don't blindly trust data from authenticated API users. Make sure that the methods and actions they are accessing are appropriate, otherwise you may give your users a backdoor into other users' data or administrative functions.

There's a lot more to it than this, but if you follow these two principles you're on your way.

John Cromartie
  • 4,184
  • 27
  • 32
  • This is very good advice, John. Perfect answer :) – BraedenP May 17 '11 at 02:44
  • The SSL (called by you as 'HTTPS') is not 'perfect' solution. This does not secure you in any means from eg. CSRF, it only hides content of the communication between parties. It also does not secure API from people without the right to access it. And OAuth is a different solution - it does not replace SSL... OAuth is for secure access is "open protocol to allow secure API authorization in a simple and standard method", not something that - like SSL / TLS - encrypts whole communication between parties. – Tadeck May 17 '11 at 06:49
  • I know OAuth is not encryption. The point is that it means you can communicate over insecure protocols using signed requests, without passing the actual credentials, so that the API provider and consumer can both trust the other party without anything like TLS in place. – John Cromartie May 17 '11 at 18:29
  • As far as CSRF goes: "authentication is not authorization" is at the core of most of these vulnerabilities. In a CSRF attack, you have an authenticated user (unwittingly) executing the attacker's own request: the error is to assume that any request from an authenticated user is OK. Protection against CSRF is not at the authentication level, but the authorization level. – John Cromartie May 17 '11 at 18:35
2

Implementing OAuth http://oauth.net/documentation/getting-started/ would work for what you're trying to do. I'm not certain of what type of data you're securing, but I agree with TradyBlix this probably best. I've implemented it before, it's not too hard to figure out, it's well documented with many APIs that handle user-data utilizing it.

Another thing you should think about is limiting API Keys to domains, so a developer can only use their API key from their own domain-essentially preventing an unauthorized developer from gaining access, at least without gaining access to an authorized domain and corresponding key.

Scott Feinberg
  • 574
  • 4
  • 20
1

Maybe you should check out OAuth. It's An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.

I haven't tried it myself to be honest but it's the first thing I thought of when you mentioned authorized developers use my API. Just an idea.

tradyblix
  • 7,439
  • 3
  • 25
  • 29
  • OAuth is really about authorizing third-party applications to use an API on your behalf. For example: OAuth lets me (a Twitter user) securely authorize an iPhone app to have a certain level of access to my own Twitter through the official API. – John Cromartie May 17 '11 at 02:46