RESTful API where to place the authorization key
I am creating a Laravel based api targeting portable devices. I have read many articles on how to properly secure data and transfers.
This is the action I am taking to protect:
- Submit data to the domain
https
usingTLS
- Unique API key for each device
- Unique Tookens that are restored from time to time.
- The received file is used to encrypt data using
hmac-sha1
So, I have 2 questions left:
- Should I send the API key in the header for example
X-Authorization
? Or add it to all of my POST / GET / PUT / DELETE in encrypted data withhmac-sha1
? - Any big difference between the above two ways?
I am mainly based on this tutorial: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/ And another question related to SO issue
PS If there is anything that you think I can improve, please let me know!
+3
source to share
No one has answered this question yet
Check out similar questions: