How should I encrypt my Rest API?


#1

I am using Nickel to create a REST API for my application.

It is important that this piece remains secure as this is a high security application. We would like calls to this API to be able to use a client secret that identifies the client to us but not be able to have this intercepted by others who could then pretend to be that client.

Is it safe to simply make calls to our Rest API? Or do we need to incorporate some encryption? Something like the client secret is actually a signature using a public-private key pair, where the client is the only one with that private key.

Or perhaps we should use sockets instead?

Thank you!


#2

Use TLS with client certificate authentication.


#3

You could use Nginx webserver as a TLS termination point, and use its “upstream” configuration to point to your API application sat behind it. That way you have a mature, well-tested web server protecting the Nickel application, and Nginx also has a variety of add-on modules which can screen requests etc. An example of using client cert authentication with Nginx can be found here.

You can use the Qualys SSL Test to probe the quality of your TLS configuration.