API Interface Security Design
Published: 2019-05-27

interface security is mainly deSigned around Token, Timestamp and sign to ensure that the data of the interface will not be tampered with and repeatedly called. see below for details:

Token authorization mechanism: the server returns a Token (usually UUID) to the client after the user logs in with the user name and password, and stores the Token-UserId in the cache server as a key-value pair.After receiving the request, the server verifies the Token. If the Token does not exist, the request is invalid.Token is the certificate that the client accesses the server.

timestamp Timeout Mechanism: The user carries the timestamp of the current time with each request, and the server compares the timestamp received with the current time. If the time difference is greater than a certain time (for example, 5 minutes), the request is deemed invalid.Timestamp timeout mechanism is an effective means to prevent DOS attacks.

signature mechanism: add  Token  and timestamp with other request parameters and encrypt with MD5 or SHA-1 algorithm (salt can be added according to the situation). the encrypted data is the signature sign of this request. after receiving the request, the server obtains the signature with the same algorithm and compares it with the current signature. if it is not the same, it indicates that the parameter has been changed and returns the wrong identification directly.The signature mechanism ensures that the data will not be tampered with.

Reject repeated call (optional): When the client accesses for the first time, store the signature sign in the cache server, and the timeout time is set to be consistent with the timeout time of the timestamp. The consistency of the two can ensure that the URL can only be accessed once within or outside the timestamp limit time.If someone uses the same URL to visit again, if it is found that this signature already exists in the cache server, the service will be denied.If someone uses the same URL to visit again when the signature in the cache is invalid, it will be intercepted by the timestamp timeout mechanism.This is why it is required that the timeout period of the timestamp should be set to coincide with the timeout period of the timestamp.The mechanism of rejecting repeated calls ensures that the URL is intercepted by others and cannot be used (such as retrieving data).

The whole process is as follows:

1. The client logs into the server through the user name and password and acquires Token

2. The client generates timestamp and takes timestamp as one of the parameters.

3. The client sorts and encrypts all parameters, including Token and timestamp, according to its own algorithm to obtain signature sign

4. Add token, timestamp and sign as parameters that must be carried when requesting to the URL of each request (http://url/request?token=123&timestamp=123&sign=123123123)

5. the server writes a filter to verify token, timestamp and sign. this request is valid only if token is valid, timestamp does not timeout, and sign does not exist in the cache server

Under the protection of the above three mechanisms,

If someone hijacks the request and modifies the parameters in the request, the signature cannot pass;

If someone uses the hijacked URL for DOS attack, the server will refuse service because the signature or timestamp in the cache server has timed out, so DOS attack is also impossible;

If both the signature algorithm and the user name and password are exposed, then the Great Sage Equaling Heaven will not be able to make it....

Finally, if all the security measures are used, it is sometimes too complicated. In actual projects, tailoring should be done according to their own conditions. For example, only signature mechanism can be used to ensure that the information will not be tampered with, or Token mechanism can be used only when directional service is provided.How to cut depends on the actual situation of the project and the requirements for interface security ~