← Back to Upcase

SSL for API endpoints?

(Samnang Chhun) #1

I’m building a JSON API for a mobile application. I’m using Rails 4.1.7 + Doorkeeper(oAuth). All requests via clients have to attach Authorization:“Bearer <access_token>” in http header. Now I want to secure all requests via SSL, after I plug in SSL from DNSimple and setup it on heroku, then I feel my response time is increased. Do you usually secure your API with SSL? Do you experience on HTTPS handshaking to slow down your response time?

(Brian Dear) #2

I nearly always secure endpoints with SSL. It prevents Man in the Middle attacks, which would be someone connects to your API (either one of your apps or someone else’s) and the content could get intercepted and changed without the end user (or the server) even knowing about it. In short, SSL will protect your calls – the sender and recipient get exactly what they expect.

Depending on your app and where you’re using it, governments (and even hotels) have been known to inject content or block content. For example, if you have a photo-sharing app and you tagged it Tienamen Square 1989 and that text was going across your API, it could get filtered or blocked, so it would potentially result in a non-specific failure (Connection Lost is a common one.) I lived in China for several years and this kind of thing happened frequently to me. A web site (or API) wouldn’t be blocked overtly, but stuff would just get dropped or connections lost unexpectedly.

This article has some best practices for API design and one of the rules is "Use SSL everywhere, no exceptions’ SSL has some big benefits for authentication – you don’t have to sign each request and can use simple API access tokens. This actually could speed up your application, depending – meaning your auth flow and subsequent calls would have a lower payload and theoretically could be faster. (Someone feel free to jump into this conversation if I’m mistaken.)

The short answer is that you should always use SSL for production APIs. I can’t think of any public API (Twitter, Stripe, FB, whomever) that does not use SSL. It’s pretty much a given. In terms of response times, I think, (in my opinion) is that you’ve optimized your response times to such a degree that you’re worried about SSL slowing things down – then you’ll have a very, very fast API, My point is that if response times are bothering you, look at your code and areas that you might be able to speed things up (the n+1 query problem is a pretty good place to look first.) Also, I use Russian Doll caching on my api jbuilder templates. So when I build an API, it’s only making queries when absolutely necessary. So basically the same strategy that you’d use for Russian Doll caching on your HTML views, you can use it in jbuilder templates.

Good luck!

(Samnang Chhun) #3

I’m not sure, but this will going to be insecure because hijacker can capture the access token and impersonate to be that user.

Thanks for your response. I feel the same SSL should be important for secure API endpoints. Currently, I use ActiveModelSerializer which is lacking caching feature because they take it out and still in development planning in next release.

(Brian Dear) #4

The access token would be coming over SSL – you would definitely never use an access token system without SSL.