Contents
How to create an API with sensitive data?
I’m designing api with method that should be an idempotent, and should not modify any data on the server. It should be method that process request and return response for given parameters. One of the parameters is sensitive data. It’s not an option to use additional encryption.
Can a hash function be used to obfuscate sensitive data?
A common pitfall is to attempt to use a hash function to obfuscate the sensitive data and use the hashed value as a key. Although a hash function can’t be easily reversed, when the input domain is relatively small (e.g. all possible SSNs), you can run all inputs through the function to find a match.
Can you send sensitive data in an HTTP header?
As far as I can tell with my limited English SHOULD != MUST. You won’t break REST API design by sending a POST in this case. You can send your sensitive data in a HTTP header if that is possible. And ofc. you should use HTTPS if you want to send sensitive data to anywhere.
Can a GET method be used to get sensitive data?
According to REST spec, idempotent query method should be implemented as a GET HTTP method. Problem in this case is sensitive data that shouldn’t be pass as a GET parameter in URL. Only option in HTTP standard is to pass sensitive data in a body part of HTTP request.
How to use your API key in a request?
To use your key, simply pass the key as a URL query parameter when making Web service requests. For example: GET http://api.data.gov/nrel/alt-fuel-stations/v1.json?api_key=YOUR_KEY_HERE Regardless of the HTTP method being called, the API key should always be passed as a GET parameter in the URL query.
What happens when API keys are accidentally exposed?
One of the most recent examples of what can happen when a developer’s API keys are accidentally exposed on GitHub can be found in a blog post titled “My $2375 Amazon EC2 Mistake,” written by Andrew Hoffman. In the blog post, Hoffman explains how he had accidentally pushed code to GitHub that included his AWS API keys.