HTTP/REST typically requires the support of the TLS protocol for authentication and confidentiality services. Although basic authentication (where credentials are passed in the clear) can be used under the cover of TLS, this is not a recommended practice. Instead, attempt to stand up a token-based authentication (and authorization, if needed) approach such as an OpenID identity layer on top of OAuth2. Additional security controls should be in place when using OAuth2, however.

References for these controls can be found at the following websites:

• http://www.oauthsecurity.com
• https://www.sans.org/reading-room/whitepapers/application/attacks-oauth-secure-oauth-implementation-33644