I have a REST JSON API (built in .NET) that needs to be consumed by the following clients (over HTTPS):
- SPA website (AJAX)
- Mobile applications
Everything (API, SPA website, mobile apps) is in-house.
Usually for an API, i'd go with Basic authentication, but obviously once you open up your API to AJAX, security gets tricky.
A note on "securing" the API - I mainly want to stop scrapers hacking/hammering the API, and the data isn't exactly ultra-private.
Here's the solutions i have in mind:
- Do nothing. Leave it open, but use throttling/rate-limiting to stop my API being scraped.
- Create a middleman server that the AJAX calls need to go through. Obviously this means there's extra latency, doubling up on code-etc.
- Use HMAC authentication with nonces and an agreed message format between client/server, and only allowing CORS from a set of allowed domains. (yes i know Origin header can be spoofed).
I'm leaning towards option 3. Since we are over HTTPS the request can't be sniffed, however obviously i can simply go to the SPA app, pop open Fiddler and see the HMAC message, but the nonces will stop the replay attacks. Obviously if someone was that way inclined, they could download the minified JS for the SPA app, find where the AJAX calls happen and somehow figure out the HMAC format. This is the only downside i can see.
Can i please have some advice on this?
Thanks
I think that you have great ideas to secure your Web API. Here are some additional thoughts:
- You should prefer a token-based authentication instead of basic authentication. This allows to add expirations, refresh, ... I wrote an article on this subject: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/
- You should also be careful about possible XSS for SPA if you store security context in it. If you choose to keep basic authentication, it doesn't really apply since the browser keeps this context for you. Here are some links regarding such aspects: What are (if any) the security drawbacks of REST Basic Authentication with Javascript clients? and Is there any safe way to keep rest auth token on the client side for SPA?. Notice that JS frameworks like Angular provides support to prevent from this.
- Using rate limitation is also a good thing. It will provide a guard for scrapers hacking. You can have a look at what Restlet at this level for advice: http://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/apispark/firewall.
- The option 3 is perhaps a bit strong but you could implement a security mechanism like the one (signature-based) used / provided by AWS. It signs the request using an access key identifier (see this link http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html). This class from Restlet could give you hints about the implementation: https://github.com/restlet/restlet-framework-java/blob/master/modules/org.restlet.ext.crypto/src/org/restlet/ext/crypto/internal/AwsUtils.java.
I think that if you use / consider / implement some or all mechanisms, you will have a pretty good authentication and security for your Web APIs ;-)
Hope it helps you,
Thierry
