32

I have a site that allow users to check their statistics (number of file uploaded, how many files they have, quotas, type of access etc...)

I create a section on my site: api.domain.com

This can be access via curl or a web browser since I am returning a json object or xml (depending on the user prefs)

My question is this: should I restrict the access using a user/pass or should I create a hash of the user file?

for example:

scenario 1:

The user create a php curl that sends user and pass via post or the curl auth and get back the results, parse it etc...

For me this is secure but the user has to maintain his script if they change their pass

scenario 2

The user access a file like: api.domain.com/j355HGssgf3HESAjh45jusf4325GSj5hbsHhdh5HGHFS3732he4548475wbe3447nSNe5XfgjhGJ and then access the data

This one, nothing to maintain

Improve this question
0

2 Answers 2

Reset to default
40

Here's my thoughts on this.

If you return a page not found or an error message (with a good 200 OK status) when a request is made to your page, it might send to bots or UN-trustable people a clue on what can they get and try again and again and again ...

On the other hand, if you send a access denied, like a 401, or better a 500 error code to simulate a server error, these bots or UN-trustable people might go away for good.

I will say the user/password method is a little more secure in this case.

Now, would you trust simply entering a big string (like scenario 2) when you check your mail? or your bank account information?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

37

If it was me I would give each account the ability to create a unique api key, 

api.domain.com/?key=<API.KEY>

for more security measure you could make it only accept connection via the post method with the api key. If contacted via get then show an error etc.

Then if they change their pass/username it won't affect their api key

Improve this answer

2 Comments

But what if someone stole your api key? I'm searching some info on this argument because I have 2 server and I want to comunicate via POST some sensible information. But I don't understand, I ca n use an API for retrieve the information, but if someone sniff the call can retrieve sensible info with the api key
If it is sensitive information, I would use ssl and encrypt the data, decrypt on the other end. If you know an api key has been stolen re-generate a new one :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.