HTTP basic authentication over SSL for REST API

http authentication ssl rest
68,444

Basic authentification is just a standard HTTP header with the user and pass encoded in base64 :

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

(http://en.wikipedia.org/wiki/Basic_access_authentication) .If you authenticate your rest API calls by this header over a non ssl conection, the problem is that any man in the middle can decode your username and password from your auth header.

To make sure that your password is sent securely , instead of a normal HTTP connection you must use HTTPS . The only difference between HTTP and HTTPS is that HTTPS is using the SSL/TSL security protocol over TCP/IP instead of plain TCP/IP.

Now this has the drawback that establishing a HTTPS connection is more expensive on the cpu than normal HTTP connection. It is very clear that If you want to authenticate your rest calls on every request with this header you should make your rest API only available to HTTPS connections.

Share:
68,444

Related videos on Youtube

Kanishk Dudeja
Author by

Kanishk Dudeja

Updated on July 09, 2022

Comments

  • Kanishk Dudeja
    Kanishk Dudeja almost 2 years

    I am new to the concept of RESTful API's.

    I am designing a RESTful API for an online store.

    I have not properly understood the concept of basic HTTP authentication over SSL.

    Does it mean that for every request the user will have to enter his/her username and password again?

    Can somebody explain in detail how it functions and how it is meant to be used?

  • Kanishk Dudeja
    Kanishk Dudeja over 10 years
    Will the authorization header have to be sent with every request that goes to the server?
  • Ovidiu Buligan
    Ovidiu Buligan over 10 years
    Yes . Because the Rest api doesn't have state (for ex :logged in user state). I think that for big applications you have to have an authentication module or filter which has state .Or something like OAuth . I would certainly look also to try to understand OAuth 2 for example which is a more complete and general solution for anyone who uses your api.
  • Kanishk Dudeja
    Kanishk Dudeja over 10 years
    And will the header be automatically get cached and sent by my browser again and again? Or will i need to send the header by the api code?
  • Ovidiu Buligan
    Ovidiu Buligan over 10 years
    you will need to send the header at each request
  • Ovidiu Buligan
    Ovidiu Buligan over 10 years
    Ignore my preview comment it seams the browser caches the credentials. Here is a question on the same subject: security.stackexchange.com/questions/988/…
  • Kanishk Dudeja
    Kanishk Dudeja over 10 years
    Okay. Last thing. For the first time too, it is the browser's responsibility to encode it into a base 64 string, right?
  • Ovidiu Buligan
    Ovidiu Buligan over 10 years
    yes , you generally don't need to concern about encoding it because you use the a javascript API to set the user and password for the basic authentication
  • Michael Chudinov
    Michael Chudinov over 6 years
    Just want to mention that basic authentication is described in RFC 7617 [tools.ietf.org/html/rfc7617] (tools.ietf.org/html/rfc7617). It is always worth to refer to a standard.
  • galactikuh
    galactikuh about 5 years
    This answer is out of date since the solution provided in the wikipedia page has been deprecated.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Website PKSC #11 smart card authentication and SSL client certificates
Is HTTP status code 426 Upgrade Required only meant signal an upgrade to a secure channel is required?
How should a client pass a facebook access token to the server?
HTTPS test server that checks client certificates
Are REST request headers encrypted by SSL?
http post - how to send Authorization header?
Place API key in Headers or URL
What is the proper HTTP response to send for requests that require SSL/TLS
In Flutter how I can fetch data inside a JASON with API and GetX
How to solve insecure http not allowed by platform flutter?