What are the available options for securing webapis

Question

0.00/5 (No votes)

See more:

I am working on a web application where I need to pull data from a third party vendor. There are REST APIs written for this which will pull data from the third party.

My Question is: How can i secure these calls? I mean if anyone can get the endpoint then he/she will get the data, I want to prevent this.

one answer could be using authentication and authorization, here I will first send the user credentials and upon successful validation, a token will be returned and this token will be passed in every subsequent request in header.

I have a question in this: IF i have to pass the token in every request in header then i can also pass credentials with every request. Then what is the need for authentication, I can easily pass credentials in header with every request and authenticate.

ALSO, If someone can answer what are the other available options for securing such API calls

Thanks

What I have tried:

IF i have to pass the token in every request in header then i can also pass credentials with every request. Then what is the need for authentication, I can easily pass credentials in header with every request and authenticate.

Posted 23-Feb-18 7:01am

tewary_manish

Updated 24-Feb-18 6:35am

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

phil.o · Answer 1 · 2018-02-24T05:11:00

Solution 1

If you pass credentials at each request, then it means that the server would have to re-validate these credentials each time. Given that validating credentials is not free in terms of processor cycles and I/O, that may not be a viable solution, depending on the total charge which the server has to handle.
Whereas the token is constructed from a successful authentication and ensures that a given client has already passed the authentication process. It saves resources and time without compromising the security of your application.

Posted 24-Feb-18 5:11am

phil.o

Comments

tewary_manish 24-Feb-18 12:34pm

IN that case also, token has to be validated everytime..

phil.o 24-Feb-18 13:29pm

Yes, but validating a token of a few bytes which can be kept in a map in memory is way quicker than doing a request to a database system and/or coupled with some salt & hash operations.

tewary_manish 25-Feb-18 12:41pm

Ok, thanks for the info but still i think its not a good approach. Storing token in memory map again will have its limitation if my token is time bound. Token can also be hacked. Anyways, thanks again for clearing my doubts.

Just wanted to check what are the other options available if APIs are pulling data from a different vendor DB and i want to secure this.

tewary_manish 24-Feb-18 12:56pm

What are other options available for security in my case: I am working on a web application where I need to pull data from a third party vendor. There are REST APIs written for this which will pull data from the third party.