I’m creating my first API and am using Ruby on Rails. The API will strictly be server to server. I’ve done a lot of reading on the methods of securing an API like this and have decided that using https might be the easiest method, rather than Oauth.
Additional Info:
- API is pretty simple and read only
- The data I’m providing is not cheap and I need to show our data provider and partner that the API is secure and that their data will be protected from theft. This is the only reason I need it secured.
My initial plan is to simply use a private key that will be sent over https. I don’t need to worry about the client sharing this key because they are billed based on usage.
My question is how do you go about enforcing use of https on the client server? Are there any other things I need to do on my end other than require the API routes use https protocol?
HTTPS only does two things:
* Give you a warm fuzzy feeling that you’re communicating with the right server
* Use encryption to prevent eavesdropping and tampering.
This does not restrict access to your API. Using HTTPS for sensitive data is a must, so use it. You can setup your front-end server (nginx for example) to use SSL exclusively (e.g. don’t configure port 80/HTTP). Read more here: http://ariejan.net/2011/10/22/automatically-switch-between-ssl-and-non-ssl-with-nginx-unicorn-rails
Then you will want the client to authenticate itself so you can check they are the right party to receive data from you. You could use OAuth here, but since I gather there will only be one client, this might be overkill.
The simplest form of authentication you can employ is requiring an authentication token. Each request must include this api token which you can validate server-side. You can also use it record metrics about usage.
So, basically, require an API key for every request and configure your server so your API is only exposed over HTTPS.