RESTful Web Services - Security
Since RESTful web services work with HTTP URL paths, it is very important to secure a RESTful web service in the same way that a website is secured.
The following are guidelines to follow when developing a RESTful web service.
Validation − Validation of all input data on the server. Protect your server from SQL or NoSQL attacks.
Session-Based Authentication - Use session-based authentication to authenticate the user each time a web service method is accessed.
There is no sensitive data in the URL - Never use the username, password or session token in the URL, these values must be passed to the web service using the POST method.
Method Execution Restriction - Allow limited use of methods such as GET, POST, and DELETE methods. The GET method should not be able to delete data.
Invalid XML/JSON Validation − Checking if the input passed to the web service method is valid.
Create generic error messages. The web service method should use HTTP error messages like 403 to display denied access etc.
OK - shows success.
CREATED - When the resource was successfully created using a POST or PUT request. Returns a reference to the newly created resource using the location header.
NO CONTENT - when the response body is empty. For example, a DELETE request.
NOT CHANGED - Used to reduce network bandwidth usage for conditional GET requests. The response body must be empty. Headings should have date, location, etc.
BAD REQUEST Indicates that invalid input has been entered. For example, validation error, missing data.
UNAUTHORIZED Indicates that the user is using the wrong or invalid authentication token.
FORBIDDEN - Indicates that the user does not have access to the method being used. For example, Remove non-administrator access.
NOT FOUND - Declares that the method is not available.
CONFLICT - states a conflict situation when executing a method. For example, adding a repeating entry.
SERVER INTERNAL ERROR - Indicates that the server threw an exception while executing the method.