RESTful Web Services - Security
As RESTful Web Services work with HTTP URL Paths, it is very important to safeguard a RESTful Web Service in the same manner as a website is secured.
Following are the best practices to be adhered to while designing a RESTful Web Service −
Validation − Validate all inputs on the server. Protect your server against SQL or NoSQL injection attacks.
Session Based Authentication − Use session based authentication to authenticate a user whenever a request is made to a Web Service method.
No Sensitive Data in the URL − Never use username, password or session token in a URL, these values should be passed to Web Service via the POST method.
Restriction on Method Execution − Allow restricted use of methods like GET, POST and DELETE methods. The GET method should not be able to delete data.
Validate Malformed XML/JSON − Check for well-formed input passed to a web service method.
Throw generic Error Messages − A web service method should use HTTP error messages like 403 to show access forbidden, etc.
HTTP Code
| Sr.No. |
HTTP Code & Description |
1 |
200
OK − shows success.
|
2 |
201
CREATED − when a resource is successfully created using POST or PUT request. Returns link to the newly created resource using the location header.
|
3 |
204
NO CONTENT − when response body is empty. For example, a DELETE request.
|
4 |
304
NOT MODIFIED − used to reduce network bandwidth usage in case of conditional GET requests. Response body should be empty. Headers should have date, location, etc.
|
5 |
400
BAD REQUEST − states that an invalid input is provided. For example, validation error, missing data.
|
6 |
401
UNAUTHORIZED − states that user is using invalid or wrong authentication token.
|
7 |
403
FORBIDDEN − states that the user is not having access to the method being used. For example, Delete access without admin rights.
|
8 |
404
NOT FOUND − states that the method is not available.
|
9 |
409
CONFLICT − states conflict situation while executing the method. For example, adding duplicate entry.
|
10 |
500
INTERNAL SERVER ERROR − states that the server has thrown some exception while executing the method.
|
