How to ensure the security of HTTP-based apis?
The current information system, the security of the first checkpoint, of course, is the password. Apis are no exception. Or you can log in once and get a token that is valid for a short time. Or bring your account number and password with every request.
If you bring your account and password with you every time, the API site must require HTTPS or risk leakage. A workaround, of course, is asymmetric encryption, where the password is encrypted with the public key and sent, and the server decrypts it with the private key. However, as a result, the amount of work on the client side increases, which may not be feasible.
In token mode, it means that the server saves the state of the client. In REST style, there are:
All objects on the network can be abstracted into resources. 2. Each resource has a unique identifier
Stateless means that the server will not maintain the state of the client, and all operations are idempotent. The same operation, even if it is performed tens of thousands of times, will be treated in the same way.
Of course, the server that maintains the requester’s state is logically separate from the server that provides the API, so there is no contradiction.
I don’t know if I understand this correctly.
Web Api security