Sending "plaintext" passwords over HTTPS is standard practice. Due to the encryption provided by TLS, the passwords are not actually sent in plaintext.
To secure a REST API accessible on the internet, you should follow these best practices:
Always Use TLS/SSL
Every web API should utilize TLS (Transport Layer Security), which encrypts the data transmitted between the client and server. TLS, often referred to by its predecessor's name, SSL, ensures that sensitive information like API credentials and private data are protected from interception by third parties. Websites with TLS enabled have URLs that start with https:// instead of http://.
TLS requires a certificate from a certificate authority, which also verifies the legitimacy of your API. Many cloud providers and hosting services manage certificates and enable TLS for you. If you're managing your own web server, you can use Let's Encrypt to easily obtain and manage your certificates.
Password Hashing: Server-Side vs. Client-Side
The recommended approach is to hash passwords on the server side, just before storing them in the database. This is the safest and most preferred method. While you can hash passwords on the client side for additional security, it is generally unnecessary. Client-side hashing only makes sense if you do not trust the server and do not want to expose the actual password to it.
Transmitting Login Credentials
When sending login credentials (username and password) to the server API, ensure that you:
- Transmit the form data in the POST body to avoid caching and logging.
- Use HTTPS to prevent password interception through network traffic observation.
By following these practices, you enhance the security of your REST API and protect sensitive user information during transmission.
Top comments (0)