1

My website has a REST API that is being utilized by AJAX, but I'm concerned about the security of my current method:

  1. I generate a hmac hash (using a combination of unique info) and send it, along with the unique info, in the AJAX request to the REST API.

  2. The REST API then generates another hmac, with the unique info it received in the AJAX request, and compares the hash.

  3. If the hash is the same, it returns the REST API data.

This works, but I don't think I'm doing this right. The hash always remains the same, so a scraper can just crawl the site and collect all of the hashes and run it through the REST API.

How can I secure this API more, and keep it compatible with AJAX requests?

Improve this question
8
  • 1
    Harry Houdini should see this question he would love to guess :) would you please add some codes what your codes look like and what you have tried. Commented Feb 8, 2020 at 14:41
  • Maybe you can generate a dynamic token for every session like Laravel does. Commented Feb 8, 2020 at 14:53
  • 1
    If you say you want to "secure" something, please make it clear what the threat it is. I gather you want to prevent unauthorized use of your API, but even that isn't clear. Commented Feb 9, 2020 at 0:31
  • @JamesReinstateMonicaPolk The threat here is a scraper, being able to scrape the hashes (the hashes will not change with my current security), and run it through the API. Commented Feb 9, 2020 at 0:39
  • Why do you care if someone obtains hashes? What bad or undesirable thing are you trying to prevent? Commented Feb 9, 2020 at 0:41

1 Answer 1

Reset to default
1

How to Secure Your REST API

Security isn’t an afterthought.

It has to be an integral part of any development project and also for REST APIs. There are multiple ways to secure a RESTful API e.g. basic auth, OAuth etc.

but one thing is sure that RESTful APIs should be stateless – so request authentication/authorization should not depend on cookies or sessions.

Instead, each API request should come with some sort authentication credentials which must be validated on the server for each and every request.

Best Practices to Secure REST APIs

Below given points may serve as a checklist for designing the security mechanism for REST APIs.

Keep it Simple

Secure an API/System – just how secure it needs to be. Every time you make the solution more complex “unnecessarily,” you are also likely to leave a hole.

Always Use HTTPS

By always using SSL, the authentication credentials can be simplified to a randomly generated access token that is delivered in the username field of HTTP Basic Auth. It’s relatively simple to use, and you get a lot of security features for free.

If you use HTTP 2, to improve performance – you can even send multiple requests over a single connection, that way you avoid the complete TCP and SSL handshake overhead on later requests.

Use Password Hash

Passwords must always be hashed to protect the system (or minimize the damage) even if it is compromised in some hacking attempts. There are many such hashing algorithms which can prove really effective for password security e.g. PBKDF2, bcrypt and scrypt algorithms.

Never expose information on URLs

Usernames, passwords, session tokens, and API keys should not appear in the URL, as this can be captured in web server logs, which makes them easily exploitable.

https://api.domain.com/user-management/users/{id}/someAction?apiKey=abcd123456789 //Very BAD !!

The above URL exposes the API key. So, never use this form of security.

Consider OAuth

Though basic auth is good enough for most of the APIs and if implemented correctly, it’s secure as well – yet you may want to consider OAuth as well. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

Consider Adding Timestamp in Request

Along with other request parameters, you may add a request timestamp as an HTTP custom header in API requests. The server will compare the current timestamp to the request timestamp and only accepts the request if it is within a reasonable timeframe (1-2 minutes, perhaps).

This will prevent very basic replay attacks from people who are trying to brute force your system without changing this timestamp.

Input Parameter Validation

Validate request parameters on the very first step, before it reaches to application logic. Put strong validation checks and reject the request immediately if validation fails. In API response, send relevant error messages and example of correct input format to improve user experience.

Thanks to Jerome Saltzer and Michael Schroeder The Protection of Information in Computer Systems” by Jerome Saltzer and Michael Schroeder

See : https://owasp.org/www-project-cheat-sheets/cheatsheets/REST_Security_Cheat_Sheet

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for this @Dlk. However, to me it's not clear what kind of security is best for my issue, since I'm looking for secure API usage, with AJAX in mind.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.