REST & Security

I am currently wearing my white hat and doing some pen and vulnerabilty tests for a RESTful API. While this is actually a hot topic in the Domino world, here are some resources:

 

Dieser Beitrag wurde unter Security abgelegt und mit , verschlagwortet. Setze ein Lesezeichen auf den Permalink.

11 Antworten zu REST & Security

  1. David Leedy sagt:

    Yeah.. some people love to talk about REST but skip over little details like customization and security. 🙂

    Do you know of any good examples of doing a secure, custom REST API in XPages? I’m not sure I’ve seen anything like that yet.

    Thanks!!

  2. Richard Moy sagt:

    David,

    It is extremely important that you incorporate access control objects as part of the core RESTful process to ensure security

    • Access control is important, but only one part of a security concept for RESTful APIs.
      Validating the input is another huge topic, starting from „is this value allowed for this element“ to „has the request parser security flaws“.

  3. Richard Moy sagt:

    That should be without saying

  4. Richard Moy sagt:

    Sven, I can not elaborate about our RESTful authentication it is something that we built specifically on how we do things and is more extensive that what Domino provides. It incorporates its own ACL architecture that checks the authorization of a user to perform a task at a much higher fidelity. I do not like the RESTful services that Domino provides. Too heavy and not secure enough. It is gears towards apps that are more Notes like.

    I suggest you look at nginx in regards to CORS and CSFR. It is relatively easy to configure. One thing that I have learned, is try not to have Domino do everything though it would be nice. But it makes your life harder.

  5. Richard Moy sagt:

    One additional note. Do not rely on just one level of security, it needs to be multiple layers of security and they all need to work together.

Schreibe einen Kommentar zu Richard Moy Antworten abbrechen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.