All Questions

Tagged with
336 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
7votes
0answers
287views

Double-Edged Approach to API-based web app authentication with Spring

I am creating a web application that will be handling sensitive data. The application is implemented as a Spring Boot RESTful API, so that different flexible clients can be created around it. Right ...
user avatar
  • 5,563
5votes
1answer
4kviews

JSON Injection fix for jackson

My static scan is giving a vulnerability saying I am writing unvalidated input into JSON. It advises that all serialization to JSON is performed using a safe serialization function that delimits ...
user avatar
  • 381
5votes
0answers
581views

How to verify if a request comes from the same project in App Engine? (mixed Flexible and Standard)

First, a little context on our setup: In our setup, we have a Google App Engine project with a reverse proxy in the default service. It acts as an API gateway to all other microservices in the same ...
user avatar
  • 542
5votes
1answer
2kviews

Facebook mobile login and server-side validation

I am working on a mobile app that has an integrated Facebook login (using the fb android sdk). I also have a server that has some rest endpoints on it that I would like to secure. I have been looking ...
user avatar
  • 3,320
5votes
1answer
3kviews

Universal way to authenticate clients and secure a RESTful api

I've been digging through stackoverflow / security.stackexchange threads and getting no definite answers on providing a universal way for clients to securely consume RESTful services I'm am building ...
user avatar
  • 494
4votes
0answers
203views

How to add Lusca Security for Express API REST with Angular and Android Native app like Clients?

I don't sure what is the best option to add a CSRF Token for my form's in the website and still using the same endpoints for my Android App :/ I can create new endpoints for android but i think that ...
user avatar
  • 239
4votes
1answer
991views

Best practices for Azure Key Vault for multiple web services?

We have a project with multiple RESTful web services communicating with each other. So far, each web service has its own Azure Key Vault. They each have a powershell script that accesses information ...
user avatar
4votes
1answer
122views

Best way to validate in Javascript that response is from my server(s)?

I have some values being sent from a server as a JSON object to a JS client. What is the best way for the client to validate that the response did indeed come from my server? I want to prevent users ...
user avatar
  • 1,213
4votes
0answers
2kviews

request.GetClientCertificate Returns null on Specific Server

I'm using client certificate authentication in an ASP.NET Web API 2 application. I attach the cert to the client like so: private HttpClient GetHttpClient() { HttpClient client = new ...
user avatar
  • 41
3votes
0answers
117views

secure a laravel REST API with client's that act on their own behalf

I'm sorry if this question is asked before, but I'm still confused. I'm currently creating a REST API with laravel. I'm using passport to secure the API-endpoints. The API should be used/accessed ...
user avatar
  • 61
3votes
1answer
97views

Proxy K8S app delegating authentication of requests from other pods

Background I have a K8S cluster with a number of different pods that have their own specific service accounts, cluster roles, and cluster role bindings, so that they can execute various read/write ...
user avatar
  • 51
3votes
0answers
653views

Patterns for handling sensitive data in REST API

I have a REST resource with GETs "Masked" sensitive data e.g. This API is consumed by application UI GET /api/customer { "Name":"John" "AccountNumber" :"XXXXX123" } This customer api in turn calls ...
user avatar
3votes
0answers
44views

Is it safe to use window.location in jquery ajax response function wont it be a security thread as its exposed client side

im using a jquery ajax code such as this url:'userlogin', // the function that process the mapped url name and matching type is going to receive the data// type:'POST', data:{...
user avatar
  • 59
3votes
1answer
150views

ReST API security

I am creating an Android App that will communicate with ReST API . And i want to know how do I provide security to the APIs Here is my sample API method @GET @Path("/count") public ...
user avatar
  • 3,455
3votes
1answer
239views

Consuming a RESTful api with Restangular - Is it secure for a RESTful api to return an array as a top-level object?

I'm creating a RESTful web service using Python Flask. For one of my endpoints I'd like to return a list of users. The api endpoint returns JSON in the following format: { "users": [ { "...
user avatar
  • 41
3votes
1answer
960views

JAX-RS (Jersey 2) - authorization using JSR 250 annotations

Intro Jersey: 2.9 This part of Jersey documentation describes how to provide authorization for REST services. There are two ways to do that: standard Servlet way, using configuration in web.xml ...
user avatar
  • 995
3votes
0answers
430views

Securing REST endpoints with CXF in OSGI Karaf

What is the standard approach in securing REST endpoints implemented with CXF in OSGI? The system in question is a web application deployed as a WAB in Karaf. The application contains JavaScript ...
user avatar
3votes
0answers
3kviews

RESTful API, where to place the Authorization key

I'm building an api, on Laravel framework, meant for portable devices. I have read plenty of articles on how to properly secure the data and the transfers. These are the action that I am taking to ...
user avatar
  • 7,289
3votes
0answers
585views

Java REST implementing custom authorization/authentication

I'm working on a Java server exposing REST-ful interface. The calls to the interface are to be secured by username/password and each user is to have a role assigned, based on which the access to the ...
user avatar
  • 151
3votes
1answer
3kviews

RESTful API Design based on the RBAC model

The problem to face lies in the design of a RESTful API that can manage requests from multiple roles in an RBAC-based solution. Currently we have different resources that can be accessed from ...
user avatar
3votes
3answers
1kviews

Securing REST API calls with client-side token

I have a node.js REST API and I want to restrict POST/PUT/DELETE calls to a predefined list of "sources" (web applications which I do not own the code). The only way I see to achieve this is to put ...
user avatar
  • 1,515
3votes
2answers
2kviews

Restrict access to RESTful Resources

In designing a REST API for an application, some services are supposed to be public, while other services are preferred to be kept private (i.e not publicly accessible). OAuth is used by the service ...
user avatar
  • 157
2votes
0answers
29views

For a REST API is it best practice to redirect http traffic to https or to return error with 401 or 403 status code?

I have a system to system REST API which should only, always use HTTPS, but if a client sends HTTP traffic, should we redirect them to the HTTPS url, or return an error with 401 or 403 status code? I'...
user avatar
2votes
2answers
825views

REST and service to service authentication

I am working on microservice application and now thinking how to handle security in service to service call. For simplicity, imagine I have only two services: Api gateway (exposed to the internet) ...
user avatar
  • 1,090
2votes
0answers
5kviews

(Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])"

I am making an API request, and I've been having issues with the SSL certificate it seems. requests.get(url=full_url, headers=headers,verify =certifi.where()) Gives me the error: Max retries ...
user avatar
2votes
0answers
508views

Where to store access token(JWT) on SPA when server is on another domain

My frontend is on domain1 and backend is on domain2, meaning communication is cross site. On user authentication server responds with JWT token. Question is: Where do I safely store that token client-...
user avatar
2votes
0answers
16views

Why would OAuth be used with no third party?

I've been handed a working system that needs changes, and there's something about it that doesn't make sense to me. I'm hoping that maybe someone here could explain it to me. My client has a web app ...
user avatar
  • 76.2k
2votes
0answers
560views

XSSI protection by adding prefix to JSON response

Angular's security guide mentions prefixing JSON responses from APIs to protect against XSSI: This attack is only successful if the returned JSON is executable as JavaScript. Servers can prevent an ...
user avatar
  • 2,257
2votes
0answers
134views

Standards-compliant way of returning JWT authentication token in JSON-LD encoded response body?

I am working on a REST service that speaks JSON-LD and uses JWT authentication. I would like to know if there is a standard-compliant way of returning the JWT token to the client after an ...
user avatar
2votes
0answers
183views

Secure a Spring boot rest api

I have a created spring boot rest api that I intend to call from another application. How can I secure it in such a way that I can only call my api from that application. I am very new at this so I ...
user avatar
2votes
0answers
390views

Is it secure to pass a fixed API key in request body

I am currently building a bot using node.js I would like to secure one route only to be used for cronjob task I looked at all the solutions on the internet and I feel they are overkill for my ...
user avatar
  • 444
2votes
1answer
706views

How to secure JSF application client and server-side REST API module

i'm trying to find a solution to implement authentication and authorization into my application which exposes services through a REST API and at the moment has a Web application client: | Web ...
user avatar
2votes
0answers
174views

Authorization based on URL parameters in JAX-RS / Java EE?

We are working on a web application based on JAX-RS. We have multiple parameterized endpoints that access resources by resource ID and query some aspect of them. We restrict access to individual ...
user avatar
  • 1,644
2votes
1answer
55views

Does custom security HTTP headers violate separation of concerns

Does custom application specific, security related HTTP headers violate separation of concerns, is it considered a bad practice? I realize using custom header to control the service would tightly ...
user avatar
2votes
1answer
2kviews

Single Page Application JWT, token refreshing vs long lived tokens

I'm beginning a Single Page Application, and I'm using JSON Web Tokens to Authenticate client side (JS Client with Server API). In my app, user provides credentials (app auth, facebook, google) and ...
user avatar
  • 333
2votes
0answers
733views

How to secure REST api in Jersey

I have a Java application which uses Jetty library to handle websocket connections. I am using Jersey Jax-RS to support REST api in this application. I have two sets of REST api's: 1. To be accessed ...
user avatar
  • 20.8k
2votes
0answers
32views

How to implement HDFS encryption using java api?

We want to implement HDFS encryption using the Java API. Can someone help me, with any reference document or any pointer to implement encryption using Java.
user avatar
2votes
1answer
1kviews

Preventing duplicate REST calls

I'm creating an Android app that calls a PHP bases REST api methods for server side updates. For example, to add reward points to customer, we can use: http://example.com/rest/customer/add/1/20 ...
user avatar
  • 3,813
2votes
0answers
714views

Spring Security with basic authentication

I'm using Spring to secure my Rest API and to deal with the authentication I've chosen the Basic Authentication method. When I test my method, I use to send a header parameter "Authentication : basic ...
user avatar
  • 331
2votes
1answer
163views

How to provide custom athentication/authorization manager in Wildfly

I have a backend REST service providing authentication and authorization. How can I configure my Wildfly server or the deployed application so that the REST calls are made to verify any user ...
user avatar
  • 197
2votes
0answers
81views

Remote API for authorization and registration from mobile client

I am looking for the best way, the most secure way to build Client-Server communication. I have simple web site where I can login and sign up using well-known web secure implementation. But I need to ...
user avatar
2votes
0answers
89views

Heuristics to detect a scan/attack to our REST API

I'm developing a REST API and I've programmed a controller that handles the "undhandled" routes (routes for "resources types" that don't exist). I've created some code to detect in an heuristic way ...
user avatar
  • 1,349
2votes
2answers
137views

Securely Sending Sensitive Information to RESTful Service

So I've searched and tried to piece together the various information I've found, and I apologize if this information does exist somewhere else. Not being a security professional I want to make sure ...
user avatar
  • 4,483
2votes
1answer
97views

How to force to make a call to a restful service through http client?

Considerations: First of all, I'm looking for a programmed/automated solution, not a -personal- solution. I'm afraid that this question has not a direct answer because technology, so I'll check any ...
user avatar
2votes
0answers
446views

Securely expose WebApi 2.0 in internal network to Web Servers in DMZ

We have an architecture currently of: www-->DMZ(web server1 MVC5 app-->web server2 WCF service) However, a requirement has arisen for web server2 to contact a WebAPI 2.0 service which is hosted ...
user avatar
2votes
0answers
120views

REST API Security and CrossPlatform

I'm working on rest api with node.js. I create jwt-token in /signup endpoint. Then send this token every ios-app,windowsphone-app requests in Authoriziton header. So api try find user which contain ...
user avatar
  • 237
2votes
1answer
6kviews

Grails + Spring Security Rest + How to login

I have created as sample rest application using grails and added a security using spring security rest plugin. I am trying to test it using rest client POSTMAN but getting 404 to '$MYAPP/api/login' ...
user avatar
  • 37
2votes
1answer
1kviews

How to make sure that only my javascript client web app is making requests to REST API?

I'm building a web application. It's basically a blog. There is a javascript client web application and there is a server that implements REST API. When user visits my blog, I use javascript ...
user avatar
  • 615
2votes
1answer
743views

Is it possible to disable RoleBasedSecurityFilter.java of RESTEasy?

I am developing a Web application which uses JBoss RESTEasy (resteasy-jaxrs-3.0.8) but I want to disable the RoleBasedSecurityFilter.java and only use my own custom SecurityInterceptor class (which ...
user avatar
  • 1,252
2votes
0answers
2kviews

How to prevent spamming to my api server?

I have been thinking of a way to make a secured request from a client to server (not in terms of implementing an SSL) but a way so that I can prevent spamming. Allow me to explain what exactly I am ...
user avatar

15 30 50 per page
1
2 3 4 5
7