Developing API - how to make it secured? [closed] Developing API - how to make it secured? [closed] codeigniter codeigniter

Developing API - how to make it secured? [closed]


php ajax api codeigniter

Implementing OAuth http://oauth.net/documentation/getting-started/ would work for what you're trying to do. I'm not certain of what type of data you're securing, but I agree with TradyBlix this probably best. I've implemented it before, it's not too hard to figure out, it's well documented with many APIs that handle user-data utilizing it.

Another thing you should think about is limiting API Keys to domains, so a developer can only use their API key from their own domain-essentially preventing an unauthorized developer from gaining access, at least without gaining access to an authorized domain and corresponding key.

php ajax api codeigniter

First: require HTTPS.

HTTPS ensures that a secure channel is established before any request data is sent. Yes, before any request data is sent: URL, headers, cookies, GET or POST parameters... anything. This means that you can use simple methods such as HTTP Basic authentication over HTTPS without putting the user's credentials at risk.

This is really not negotiable, unless the data you are passing over the API is truly public. If you aren't using HTTPS, then any communication with your API (including HTTP Basic credentials) can be sniffed in plain text.

The only reason major sites (like Facebook) don't use HTTPS is because it gets expensive at massive scale.

If you absolutely can't run HTTPS, then you should look into OAuth, which is making strides in API authentication in exactly this situation. With OAuth you can authenticate users while keeping credentials secret over unencrypted channels.

Second: authentication is not authorization.

Don't blindly trust data from authenticated API users. Make sure that the methods and actions they are accessing are appropriate, otherwise you may give your users a backdoor into other users' data or administrative functions.

There's a lot more to it than this, but if you follow these two principles you're on your way.

php ajax api codeigniter

Maybe you should check out OAuth. It's An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.

I haven't tried it myself to be honest but it's the first thing I thought of when you mentioned authorized developers use my API. Just an idea.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last