How to secure RESTful web services

Question

I have to implement secure RESTful web services  I already did some research using Google but I m stuck   Options   TLS  HTTPS      HTTP Basic  pc1oad1etter  HTTP Digest  two-legged OAuth a Cookie-based approach client certificates  Tom Ritter and here  Signed requests using HMAC and a limited lifetime   Are there more possible options to consider  If OAuth then what version  Does it even matter  From what I ve read so far OAuth 2 0 with bearer tokens  that is without signatures  seems to be insecure   I ve found another very interesting article on REST based authentication   Secure Your REST API    The Right Way

User · Answer

If choosing between OAuth versions  go with OAuth 2 0   OAuth bearer tokens should only be used with a secure transport   OAuth bearer tokens are only as secure or insecure as the transport that encrypts the conversation  HTTPS takes care of protecting against replay attacks  so it isn t necessary for the bearer token to also guard against replay     While it is true that if someone intercepts your bearer token they can impersonate you when calling the API  there are plenty of ways to mitigate that risk  If you give your tokens a long expiration period and expect your clients to store the tokens locally  you have a greater risk of tokens being intercepted and misused than if you give your tokens a short expiration  require clients to acquire new tokens for every session  and advise clients not to persist tokens   If you need to secure payloads that pass through multiple participants  then you need something more than HTTPS SSL  since HTTPS SSL only encrypts one link of the graph  This is not a fault of OAuth   Bearer tokens are easy to for clients to obtain  easy for clients to use for API calls and are widely used  with HTTPS  to secure public facing APIs from Google  Facebook  and many other services

User · Answer

HTTP Basic   HTTPS is one common method

User · Answer

There s another  very secure method   It s client certificates   Know how servers present an SSL Cert when you contact them on https   Well servers can request a cert from a client so they know the client is who they say they are   Clients generate certs and give them to you over a secure channel  like coming into your office with a USB key - preferably a non-trojaned USB key    You load the public key of the cert client certificates  and their signer s certificate s   if necessary  into your web server  and the web server won t accept connections from anyone except the people who have the corresponding private keys for the certs it knows about   It runs on the HTTPS layer  so you may even be able to completely skip application-level authentication like OAuth  depending on your requirements    You can abstract a layer away and create a local Certificate Authority and sign Cert Requests from clients  allowing you to skip the  make them come into the office  and  load certs onto the server  steps   Pain the neck   Absolutely   Good for everything  Nope   Very secure  Yup     It does rely on clients keeping their certificates safe however  they can t post their private keys online   and it s usually used when you sell a service to clients rather then letting anyone register and connect   Anyway  it may not be the solution you re looking for  it probably isn t to be honest   but it s another option

[web-services] How to secure RESTful web services?

Examples related to web-services

Examples related to security

Examples related to rest

Examples related to oauth

Examples related to restful-authentication