All geek questions in one place

REST Security Design is a good practice when exposing a resource identifier

In a REST-based system, there are options for "encrypting" a resource identifier.

For instance:

/client/2

will be available in

 /client/SOMEHASHKEY

I think:

1 - have database tables that track the resource identifier, and also match the HASH and view it for each request. This is obviously quite difficult to implement, and to increase the server’s performance quite a bit.

2 - Have some kind of internal encryption algorithm that creates a hash, for example, based on the date the resources were created, the resource identifier and base64 (obviously not optimal, but you get the point)

So, are there any good methods for such scenarios? What would you recommend?

Thank you very much

+6
source share
1 answer

If you intend to make it difficult to guess customer identifiers, use uuids , for example 32 hex character long, for example 21EC2020-3AEA-1069-A2DD-08002B30309D.

The identification of objects in a domain is entirely dependent on the implementation that provides the REST service.

In some applications, pointers are used to define objects by default. A good example is, for example, the lovefilm API :

 GET /users/9D48675C-096F-11DC-BF5A-88D01745CE5C HTTP/1.1 Host: openapi.lovefilm.com

However, using inaccessible identifiers does not protect you from unauthorized access and does not replace a genuine authentication mechanism.

+2
source

Source: https://habr.com/ru/post/944798/

More articles:


All Articles