Zend certified PHP/Magento developer

REST API – Best Practicies?

Building out a REST API here. I’m thinking for authorization, API_KEY + NONCE + TIMe is a good way to go about it, as I know that’s been the standard around for a good while.

Just checking in, in case there’s some cool new methodologies that I’m currently unaware of. I approach online security with the analogy of a layered onion, hence why I believe Tor and .onion sites are a thing. There’s no silver bullet, or 100% guarantee of online security — you just add on as many security layers as you can, making it all that more difficult for attackers to get to the core of the system.

That’s the point of adding the nonce + time into the RES API calls, with the nonce needing to be higher than the previous. It in and of itself is nothing overly special, but just an extra layer added onto that security onion.

Do I have this about right? If so, is this currently the standard approach when developing out a REST API with security in mind, or are other methodologies out there nowadays that I’m currently unaware of? Thanks very much for your time, and appreciate any feedback.

Pretty confident I have this right, but this is the online software industry after all and things move quick in this industry, so just checking in to make sure.

submitted by /u/Envrin
[link] [comments]