locked
Question: How to secure a Wcf Rest api RRS feed

  • Question

  • User2001833234 posted

    Could someone please help:
         I have been reading up on creating REST Web Services and I am starting to get a decent understanding of
     how/what to do to create and deploy them.  What I am very concerned about is how do you secure them over
     the internet.  
         Please bear with me, I am not a networking person, my goal is to create REST API's that allow users
    (connecting with IOS applications) to download and upload data.  We will need to host the API's on our local network web server so that the services will have access to our database's.  
         I would assume that our network admin would open a port on our router that would point to the web
    server, but what can I do after that to secure the transmissions? Would I need to use some type of key plus encrypted username and password.

    How is it usually done.

    Thanks in advance.

    Wednesday, November 18, 2015 6:27 PM

Answers

All replies

  • User-219423983 posted

    Hi duckkiller53,

    About how to secure a WCF Rest API, you could have a look at the following links that provide some suggestions and solution to protect your WCF services. The first one provides how to let WCF works with HTTPS to protect the communication pipeline and the second one talks about a similar need and provides some suggestions you could refer to.

    http://www.allenconway.net/2012/05/creating-wcf-restful-service-and-secure.html

    http://stackoverflow.com/questions/7332029/how-should-i-secure-my-wcf-rest-json-services-for-use-with-an-ios-android-applic

    I hope it’s useful to you.

    Best Regards,

    Weibo Zhang

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, November 19, 2015 4:57 AM
  • User2001833234 posted

    Weibo:

        
         Could you answer these questions.  I have done more reading (which just leads to more questions :) and I am curious with this.  From what I read on the link you posted, can I assume the following statements are correct?

    Do most developers Create there REST web Service and then use 'Transport' level security with the 'webHTTPBinding'? to create a communication tunnel?
     This would yield the SSL https connection.

    Do developers use any other type of PUBLIC / PRIVATE key to hand shake between the app and service?  If so how / what do they use?

    Thursday, November 19, 2015 2:22 PM
  • User-219423983 posted

    Hi duckkiller53,

    Do most developers Create there REST web Service and then use 'Transport' level security with the 'webHTTPBinding'? to create a communication tunnel?

    For this question, you’d better have a look at the following thread that explains the difference between transport security  and message security and the HTTPS using in these methods.

    http://stackoverflow.com/questions/5673283/wcf-transport-vs-message

    Do developers use any other type of PUBLIC / PRIVATE key to hand shake between the app and service?  If so how / what do they use?

    For this question, you could have a look at the following links and according the them you could know that SSL will negotiate a session key and service public key during the handshake, which will allow you to encrypt the content with the service certificate public key and sign the content with the private session key.

    https://msdn.microsoft.com/en-us/library/ff648863.aspx

    http://stackoverflow.com/questions/13878362/wcf-mutual-ssl-security-what-certificates-are-used-when

    I hope it’s useful to you.

    Best Regards,

    Weibo Zhang

    Friday, November 20, 2015 3:44 AM