Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
KLUBS2011-04-14 16:06:21
API
KLUBS, 2011-04-14 16:06:21

How to secure a web service (API)

Good afternoon.

There is a web service on php-apache (self-written, a bit like this one ). Service for working with the MySql database. The service is needed because hosting often has problems with the availability of the database remotely (not localhost). It is necessary to register IP and other inconveniences. The program in C# will work with the service.

Actually the question is: How to protect a web service from other people's Evil

  1. No one will know the address of the service, how to protect it from publication and indexing?
  2. http://developers.vgorode.ru/wiki/Protected_application_interaction_with_API - here it is written about the md5 signature, but where can I read how and from what it protects and what check should be done on the server?
  3. What (what algorithm) can be encrypted, so that it can be implemented in php and .net (well, or download ready-made, free). The service will have one client - this program, so the keys can be sewn directly into the code.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
M
mark_ablov, 2011-04-14
@KLUBS

what to encrypt?
send the key, php checks it, if it is incorrect, sends nothing, if it is correct, it sends the data.

Report
B
burdakovd, 2011-04-14
@burdakovd

@mark_ablov
It seems to me that AES won't protect against an attacker cloning legitimate requests. There is no randomized connection establishment (as in SSL), no timestamps with a check for repetitions, as described in the topicstarter link.

Report
T
Tagire, 2011-04-14
@Tagire

OAUTH?

Report
L
lavel, 2011-04-14
@lavel

A self-signed CA certificate and the client authentication certificates issued by it, works at the Apache level, a client without a certificate will receive a 401 error and will not see anything. You can make as many client certificates as you like, they can also be revoked through the revocation list. Also, in the Common Name of the certificate, you can specify any data that identifies the user in the system, i.e. The certificate can be used for both authentication and authorization.

Similar questions
V
vvrider2016-01-10 23:05:59
How to make a put request with api in angular? 1Reply
V
Vyacheslav Grachunov2018-05-20 14:50:30
How to get hundreds of results from Google Places API? 0Reply
N
Nick20152016-01-11 16:57:46
mysqli_stmt::get_result? 2Reply
A
Alexey Dagaev2020-06-09 09:24:14
How long does upload_url vk api expire? 0Reply
A
Alexey Dagaev2020-06-10 09:18:27
How to most effectively upload documents to VK through vk api? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question