background preloader

Designing a Secure REST (Web) API without OAuth

Designing a Secure REST (Web) API without OAuth
Situation You want to develop a RESTful web API for developers that is secure to use, but doesn’t require the complexity of OAuth and takes a simple “pass the credentials in the query” approach… or something equally-as-easy for people to use, but it needs to be secure. You are a smart guy, so you start to think… Problem You realize that literally passing the credentials over HTTP leaves that data open to being sniffed in plain-text; After the Gawker incident, you realize that plain-text or weakly-hashed anything is usually a bad idea. You realize that hashing the password and sending the hash over the wire in lieu of the plain-text password still gives people sniffing at least the username for the account and a hash of the password that could (in a disturbing number of cases) be looked up in a Rainbow Table. That’s not good, so you scratch your head some more… “Still not quite right!” Solution So you keep searching for articles on “secure API design“… That seems pretty straight forward.

marcj/php-rest-service Understanding Browser HTTP Accept Headers: Firefox, Internet Explorer, Opera, and WebKit (Safari / Chrome) Update: WebKit team responds to this post. Admits error, downplays importance. When a web browser make a request it sends information to the server about what it is looking for in headers. One of these headers is the Accept header. The Accept header tells the server what file formats, or more correctly MIME-types, the browser is looking for. Let's take a look at Firefox's Accept header: GET /page/routing-in-recess-screencast HTTP/1.1Host: RecessFramework.org Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Let's translate Firefox's request to English: Dear RecessFramework.org, I want the resource "/page/routing-in-recess-screencast" and I want it in an HTML or XHTML format. The Accepts header gives the browser a chance to tell the server which format it wants for a resource. How does the browser specify the preference Give me HTML/XHTML before XML before *? For as brilliant as the spec is, it is a terrible read. What in The Header Were You Thinking WebKit?

A Better Login System Net.tuts+ has published several great tutorials on user login systems. Most tutorials only deal with authenticating the user, which allows for two levels of security: logged in and not logged in. For many sites, a finer degree of control is needed to control where users can go and what they can do. Introduction Imagine you are running a great tutorial site that lets users learn about a wide variety of web development techniques. Your problem You want to restrict users' to only specific pages that their particular account allows access to. The solution Implementing an access control list will allow you a great deal of control over what users can and cannot access on your site. If you view the demo, available with the downloadable source code, you will be greeted with an index page that tests the ACL for each user. This system will enable you to create different groups of users (i.e. guests, premium members, contributors, and admins). Step 1: Create the Database Step 2: Database Include

RemoteCollab Remote Collab is an open-source SublimeText plugin for remote pair programming, allowing multiple developers to work together on the same project in real-time. How to Install Via Package Control The easiest way to install is using Sublime Package Control. Open Command Palette using menu item Tools -> Command Palette... Manual You can also install Remote Collab manually: Download the .zip or .tar.gz archiveUnzip and rename the folder to RemoteCollabCopy the folder into Packages directory, which you can find using the menu item Sublime Text -> Preferences -> Browse Packages... How to Use Host a session Open the file you wish to collaboratively editOpen Command Palette using menu item Tools -> Command Palette... Join a session Open Command Palette using menu item Tools -> Command Palette... Team Remote Team Remote is Hawk Weisman (@hawkw), Dibyojyoti Mukherjee (@dibyom), Soukaina Hamimoune (@hamimounes), and Andreas Bach Landgrebe (@grebes15).

Simple Secure Login Script Fix the 3 silent performance killers for IIS / ASP.NET apps If you could double your IIS/ASP.NET application performance by making just a few small tweaks, would you do it? Of course you would! (UPDATE: If you are looking for specific techniques to troubleshoot common ASP.NET issues like hangs, high CPU, etc, check out our new LeanSentry Production Troubleshooting course. It can’t possibly be that easy, can it? Thankfully, that’s not what I am talking about this time. In the last 5 years, we’ve helped hundreds of companies address performance problems in their IIS & ASP.NET applications. The good news is, several of these problems are very easy to fix. 1. You’ve heard this sage advice before: "don’t use exceptions as flow control in your application". Detect it To determine whether your application is suffering from too many exceptions being thrown, monitor the ".NET CLR Exceptions# of Exceps Thrown / sec" performance counter. Fix it Here are some common areas that can cause excessive exceptions: 2. // create compiled query public static Func 3.

PHP Design Patterns (domnikl)

Related: