I am currently wearing my white hat and doing some pen and vulnerabilty tests for a RESTful API. While this is actually a hot topic in the Domino world, here are some resources:
- CSRF & REST: Stateless CSRF Protection
- Stateless Session IDs: REST and Stateless Session IDs
- REST Security Cheat Sheet
Yeah.. some people love to talk about REST but skip over little details like customization and security. 🙂
Do you know of any good examples of doing a secure, custom REST API in XPages? I’m not sure I’ve seen anything like that yet.
Thanks!!
Maybe I can write a blog post about this topic in the next days.
But not before 27th December 😉
Would be very interested to read.
Domino REST security out of the box is great for demos but I would not trust it in the wild.
The ability to change any field on any document is awesome and completely unacceptable at the same time.
Custom is the way to go.
David,
It is extremely important that you incorporate access control objects as part of the core RESTful process to ensure security
Access control is important, but only one part of a security concept for RESTful APIs.
Validating the input is another huge topic, starting from „is this value allowed for this element“ to „has the request parser security flaws“.
That should be without saying
Feel free to share some of your knowledge 🙂
Which stateless authentication scheme are you using with Domino? How did you implement token authentication? How do you protect your RESTful APIs against CSFR? What are your CORS settings? Which frameworks are you using?
Thanks in advance for giving some insights.
Sven, I can not elaborate about our RESTful authentication it is something that we built specifically on how we do things and is more extensive that what Domino provides. It incorporates its own ACL architecture that checks the authorization of a user to perform a task at a much higher fidelity. I do not like the RESTful services that Domino provides. Too heavy and not secure enough. It is gears towards apps that are more Notes like.
I suggest you look at nginx in regards to CORS and CSFR. It is relatively easy to configure. One thing that I have learned, is try not to have Domino do everything though it would be nice. But it makes your life harder.
David asked a Domino specific question, that’s why I thought your given answer was Domino specific too.
One additional note. Do not rely on just one level of security, it needs to be multiple layers of security and they all need to work together.