Designing Evolvable Web APIs with ASP.NET
by Glenn Block, Pablo Cibraro, Pedro Felix, Howard Dierking, Darrel Miller
Chapter 15. Security
The cowl does not make the monk.
In the broadest sense, the security of computer systems encompasses many subjects and techniques, ranging from encryption schemes to availability and disaster recovery systems. However, it is not the goal of this chapter to discuss such a wide range of themes. Instead, we’ll focus our attention on the security aspects that are more specific to Web APIs—in particular, transport security, authentication, and authorization. So, in the following sections we will be addressing these subjects, from both theoretical and practical viewpoints, using ASP.NET Web API as the supporting technology.
This chapter is complemented by the following chapter, which will focus solely on the OAuth 2.0 Framework: a set of protocols and patterns addressing access control in HTTP-based APIs.
Transport Security
The confidentiality and integrity of transferred information are important security requirements that must be addressed when you are designing and implementing distributed systems.
Unfortunately, the HTTP protocol provides little support in this area.
For this reason, the common practice among developers is to address these requirements by using HTTP on top of a secure transport layer, as defined by RFC 1818, “HTTP Over TLS,” resulting in what is informally known as HTTPS.
Briefly, this specification states that when a client performs an HTTP request to a URI with the https scheme (e.g., https://www.example.net), then the HTTP protocol is layered on ...