How to secure a RESTful php web service with SSL/TLS and/or Message level security

php security service ssl
16,777

Solution 1

Assuming you have HTTPS properly configured using SSL/TLS your main concern is how to implement authentication for your RESTful service. Since HTTPS will use SSL/TLS to encrypt the communication between client and server encryption is not something you should worry about. If you need to understand how to properly configure SSL/TLS read Understanding SSL/TLS

Best practices for securing RESTful service is already discussed in RESTful Authentication and Best Practices for securing a REST API / web service.

To summarize it discusses 3 options

  • HTTP basic auth over HTTPS
  • Cookies and session management
  • Query Authentication with additional signature parameters.

Another option would be to explore OAuth2 for authentication. If so you can get a good understanding about Oauth2 in Beginner’s Guide to OAuth Part III : Security Architecture

Solution 2

You should already be using SSL to get the authentication established.

Then you can use same token you got after authentication as your secret hash to encrypt/decrypt data back and forth for that connection until it becomes invalid.

If systems are properly locked down (internal) you can skip SSL for encrypted data transfer if you need more speed (as long as original token is generated over SSL, and system is aware what IP the token is assigned to/etc).

Share:
16,777

Related videos on Youtube

Kiril
Author by

Kiril

Updated on July 10, 2022

Comments

  • Kiril
    Kiril almost 2 years

    I have a RESTful web service written in php that uses JSON for communication. Some of the data transmitted is really sensitive (passwords) and I am looking for a way to achieve a reasonable security level for the service. The client is a silverlight 4 application.

    I have been searching for clear information on how to implement SSL/TLS(I assume that client certificate authentication falls in that category?) and Message level security, but I cannot find good examples regarding the actual implementation of these security measures in a php+json web service. I would be very grateful for any information and practical examples. I am aware of the principles, I am just not very experienced with php. Currently the only security measure that I have in place is a very basic authentication token system, which upon successful login creates a server side session and supplies the user with an authentication token for any further communication(until the session expires or the user connects from a different IP). I really want to at least secure the sensitive traffic such as passwords.

    Finally, what are the security issues that I have to look out for after implementing TLS and maybe message layer security, as in vulnerabilities and exploits?

    Thank you in advance.

  • Kiril
    Kiril almost 13 years
    Hi, this is definitely not too basic, as using SSL is one of the approaches that I'd like to implement. The problem is that I do not know and could not find good information on how to implement the certificate mechanics, both server side in the php web service, and client side properly.
  • Kiril
    Kiril almost 13 years
    Thanks for the tip on using the token for encryption/decryption of the data. Could you please point me to an article/tutorial on how to use SSL to get the authentication established and how to encrypt/decrypt the data using the token? I already have the service accepting only SSL connections, but I don't know how to implement the actual certificate validation and usage.
  • Aleksey Korzun
    Aleksey Korzun almost 13 years
    I don't have any on hand, ideally when dealing with mission critical data you need to send it over secure/encrypted VPN link. If you lack that option in addition to talking to secure server (https) you can have two way hash assigned per client that is used to encrypt/decrypt authentication data (but NEVER send over the link unlike the token) just to keep it a bit more secure.
  • curtisdf
    curtisdf almost 13 years
    I see. I'm not sure what to tell you since I haven't had to configure SSL myself before. But I know it depends on what HTTP server you're using (e.g. Apache, Nginx, etc.) and is not directly tied to PHP. Search the web for "ssl tutorial" for your particular HTTP server?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSL connection has been closed unexpectedly
php not redirecting and logging in
Penetration testing for PHP security vulnerabilities
Symfony2 Authentication "login_check" path not found
A better SQL string sanitization function
MIME Type spoofing
SSL Certificate with PHP CURL
SSL Alternative - encrypt password with JavaScript submit to PHP to decrypt
Error while creating self-signed SSL certificate
HTTPS giving 404 not found error