- Was inspecting a REST API reference, and found that all requests are POST requests.
- Reason given was that POST requests are more secure than GET requests, presumably because you don't send data in the URL query
- But...insufficient reason?
- API key is sent in header.
- Otherwise no difference in the interface; comes down to how the REST API server resolves the request.
- POST requests are usually used to create resources.
- https://restfulapi.net/idempotent-rest-apis/
- Each POST request creates a new resource on the server, and is therefore not expected to be idempotent
- So having all REST endpoints as POST endpoints is weird because then does that mean we're creating resources on the server?
- not RESTFUL to implement POST endpoints for read-only operations?
- GET usually implements read-only idempotent operations.
- API key is sent in header.
- Header can still be intercepted: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Intercept_HTTP_requests
- uses deprecated
x-...format as api key field in header: https://tools.ietf.org/html/rfc6648 - Should use
"Authorization: ..."header instead: https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Authentication_schemes - API keys are not the most secure: https://nordicapis.com/why-api-keys-are-not-enough/
- Should consider moving to OAuth 2.0?
- In AWS, Authorization headers are uniquely signed for each transaction: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#ConstructingTheAuthenticationHeader
- OWASP Recommendation: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/REST_Security_Cheat_Sheet.md#api-keys