As RESTful Web Services work with HTTP URL Paths, it is very
important to safeguard a RESTful Web Service in the same manner as a
website is secured.
Following are the best practices to be adhered to while designing a RESTful Web Service −
Following are the best practices to be adhered to while designing a RESTful Web Service −
- Validation − Validate all inputs on the server. Protect your server against SQL or NoSQL injection attacks.
- Session Based Authentication − Use session based authentication to authenticate a user whenever a request is made to a Web Service method.
- No Sensitive Data in the URL − Never use username, password or session token in a URL, these values should be passed to Web Service via the POST method.
- Restriction on Method Execution − Allow restricted use of methods like GET, POST and DELETE methods. The GET method should not be able to delete data.
- Validate Malformed XML/JSON − Check for well-formed input passed to a web service method.
- Throw generic Error Messages − A web service method should use HTTP error messages like 403 to show access forbidden, etc.
HTTP Code
| Sr.No. | HTTP Code & Description |
|---|---|
1
|
200 OK − shows success. |
2
|
201 CREATED − when a resource is successfully created using POST or PUT request. Returns link to the newly created resource using the location header. |
3
|
204 NO CONTENT − when response body is empty. For example, a DELETE request. |
4
|
304 NOT MODIFIED − used to reduce network bandwidth usage in case of conditional GET requests. Response body should be empty. Headers should have date, location, etc. |
5
|
400 BAD REQUEST − states that an invalid input is provided. For example, validation error, missing data. |
6
|
401 UNAUTHORIZED − states that user is using invalid or wrong authentication token. |
7
|
403 FORBIDDEN − states that the user is not having access to the method being used. For example, Delete access without admin rights. |
8
|
404 NOT FOUND − states that the method is not available. |
9
|
409 CONFLICT − states conflict situation while executing the method. For example, adding duplicate entry. |
10
|
500 INTERNAL SERVER ERROR − states that the server has thrown some exception while executing the method. |
No comments:
Post a Comment