All geek questions in one place

API Security Question: SSL or more?

I am developing an API for a web application. Desktop clients will interact with the API using simple HTTP messages (REST). I will use SSL, there is no doubt about it. My question is this: should I also encrypt data before sending over SSL? Transmitted information may contain confidential information. Is SSL Enough or Should I Do More? My only concern about adding extra layers of security is that it will be much more difficult for people to interact with the API. Any thoughts on this would be greatly appreciated.

+3
source share
5 answers

No, SSL provides strong encryption. Just make sure you force clients to use HTTPS, and if you're really paranoid, check if the cipher is enough.

The only reason you want to encrypt a second time is because your web application is transferring data directly to some other system. In this case, you can leave the web application unaware of the actual data and provide end-to-end encryption between the client and the final destination.

+4
source

If you trust your certification authority, your clients do this, and your key is safe enough (RSA 2048 will not be interrupted for a while), there are no problems with SSL. You do not need to encrypt your data before SSLing, since SSL itself provides encryption.

API , .

SSL SSL-.

+2

IMHO, . , , API. SSL , ?

+1

Shtééf, , . , . SSL , node node , , .

, , SSL- .

, , SSL- .

0

Yes. SSL will help with man-in-the-middle and wiretapping, but there are other attacks. SSL will not help, for example, with replay attacks.

0
source

Source: https://habr.com/ru/post/1729787/

More articles:


All Articles