Monday, June 2, 2014

How to Secure Your REST API the Right Way

Les Hazelwood, CTO at Stormpath, told Gluecon attendees today that he and his staff spent 18 months researching REST security best practices, implementing them in the Stormpath API, and figuring out what works. Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Its intuitive API and expert support make it easy for developers to authenticate, manage, and secure users and roles in any application.

In a rapid fire presentation, Les covered the various protocols and techniques for securing your REST API the right way. Among his highlighted points:

  • Never use Basic Authentication, if possible Favor HMAC-SHA256 digest algorithms over bearer token 
  • Use Oauth 1.0a or Oath 2 (preferably MAC) 
  • “Only use a custom scheme if you really, really know what you’re doing” 
  • 401 “Unauthorized” really means unauthenticated 
  • “Oauth is an authorization protocol, NOT an authentication or SSP protocol,” Hazelwood said. But there are those that still try to use Oauth for authentication – for example, OpenID Connect. 
  • JSON Web Token (JWT) is “a very new spec, but clean and simple. We like it.”

read more here

Leave a Reply

All Tech News IN © 2011 & Main Blogger .