REST security
Cards (10)
- Security covers transmission (HTTPS), Access control, SSL(secure socket layer) and TLS(Transport layer security)
- Authentication = who has access
- Authorisation = what should x person be allowed to do
- Ways to authorise over HTTPS: Basic: send encoded (not encrypted as https) credentials everytime. Non Pre-emptive: send only when needed/requested. Digest: send encrypted everytime
- Realm = subset of domain
- BASIC: authentication happens via header, encoded in Base64
- DIGEST: 'encrypts' username and password. Sends out a call to sever, the 401 return of which contains information that is hashed in MD5 in combination with the credentials, the hash of which is then checked once its sent
- SQL injections go brr
- Risks: tampering, spoofing/identity theft. Consider likelihood x severity
- websockets also take path params