How to block api requests from web browsers and tools like cURL? - web-services

I am currently making a server that serves API requests to mobile clients. I want to somehow block web browsers or tools like cURL from making requests to my API. Is that possible? If it is, what is the most secure and efficient way of doing that?

Your server cannot really block individual curl requests. However, your server can refuse serving requests that it doesn't want to.
To explain it a bit better, suppose your mobile sends in an HTTP request. Any curl request can be made to mimic that exact mobile request, making it look like it came from your mobile (by sending the same headers, auth params etc). Your server doesn't see curl, it just sees the HTTP request.
You might try blocking requests with user agent string that looks like it comes from curl, but this won't be of much use; as I mentioned, curl can be used to mimic any HTTP request.
Coming to your comment
I have an authentication API that gives an auth token once the user logs in, but you could log in using cURL (and even the web browser)
If you have an https server, your requests are safe from getting hijacked, since the user can only read his own requests, not the ones sent by other devices. So you don't really need to block curl requests.

Related

Choosing the scenario of using Web Sockets in standard HTTP REST API

I will be happy to get advice from more experienced developers about adding Web Sockets into my HTTP-based project.
That’s the thing. I have developed the REST API based service. Everything works well enough, but… In some special cases my server needs a long time to serve client requests. It may be from 1 minute to several hours (and even days)! I implement some not-so-good algorithm to address this issue:
Client sends HTTP request
Server replies about registering request
Client starts sending HTTP requests to get necessary data (if response does not have needed information the client sends another request and so on)
That is all in a nutshell.
And it seems to be a bad scenario and I am trying to integrate web sockets for adding duplex-channels in this architecture. I hope that my API will be able to send info about updated data as soon as possible without the necessity of many requests from the client.
But I am a bit confused in choosing one of two ways to use web socket (WS).
Variant A.
The server only tells the client via WS that data is ready. And the client gets data by standard request-response HTTP method from REST API.
Variant B.
The server sends all data to the client via WS without HTTP at all.
What variant is more suitable? Or maybe some other variants?
I do not want to remove HTTP at all. I just try to implement WS for a particular kind of end-points.
Variant A would be more suitable and easy to implement. You can send message to the client after the data is ready, and he can then send request for the data. It will be like a simple chat websocket, and will serve your purpose.

Will HTTPS Authentication Slow My Application?

I am building a web application and RESTful web service.
I have been reading various articles about the best way to authenticate the requests to the web service.
The best option for me seems to be to use HTTP basic authentication. Pretty much every article ive read says that authentication should be encrypted over SSL or equivalent.
Im not totally sure what this involves. Does this mean that my whole web service will have to be on a secure server? Will this slow things down?
This really depends on how much data is being transferred and the amount of hits your service is getting. Encrypting the data will increase processing time and typically the amount of information transferred. However, if you choose basic authentication without SSL and there is a user running a packet sniffer on your network, it is almost like yelling your credentials across the room. It is possible to switch between HTTP and HTTPS by configuring your .HTACCESS if you'd like. See the link below:
Correctly switching between HTTP and HTTPS using .htaccess

Do we need to install a webserver for a webservice to work, always?

I will be having a software which will give me information about the moving vehicles on the server side and I need to pass this information to the client computer on demand.
There will be a website which will act like a server and another website will act like a client. The client
website will ask for a data from the server website.
From here: https://stackoverflow.com/a/2849683/462608
As the protocol may not be HTTP, you may provide WebServices over mail or other protocols, and you do not need a web server for that.
I request an explanation on the above quote. In my case will I be needing a webserver?
There is a bunch of webservice protocols, some of them may use and some may not use http as transport layer. When http is used - you need a webserver on server-side of your service and a webbrowser as a client. If the transport is other than http, you need server of other type, and other client, for example, mail server and mail client in case of running service over smtp.

Redirect outgoing HTTPS request to an HTTP fake service?

My title might be overly specific - I'm having trouble formulating the question, since I haven't dealt with network administration a lot, and especially not SSL / HTTPS. In other words, the answer to "Why haven't you done . . ." is like to be, "I don't know much about ...."
I am testing, and the System Under Test (SUT) is a web service calling into the Facebook API using https://graph.facebook.com.
I have a test server set up on a remote machine that will serve pages to http://graph.facebook.com. I can use the hostfile on the SUT server to redirect requests to http://graph.facebook.com to the test server. This works fine when I then type:
curl http://graph.facebook.com
The test server receives the request, and serves back the expected page.
However, as mentioned before, the SUT isn't using the HTTP site, but the HTTPS site for the Facebook API (naturally). Is there any way I can intercept the outgoing request and redirect it to the HTTP service that I'm running on the other site? I'd like to be able to type:
curl https://graph.facebook.com
and have it be redirected to the fake Facebook service I'm running on the test server. I can configure the servers at both ends.
If this is very difficult, I might also want to put in a feature request for the ability to change the URL for the Facebook API requests. However, I think the dev is using a pre-existing Facebook API module, and this might not be straight-forward. (Okay, I got curious and checked . . . a quick investigation suggests that the API supports data injection of the code that handles the actual HTTPS requests, so he'd have to implement his own version of the interface so that he could pass in a configurable URL that I could set from outside of the code - but I'd still rather not distract him unless it's really necessary).
I'm using an asis-server on port 80 to fake the Facebook responses, if that is relevant.
The solution we ended up using was a service on the test server that intercepted the HTTPS requests and redirected them to the HTTP service. Our ops person used nginx for this.
We're still not sure if this will work as a mock for the SUT - it depends on if the SUT is verifying the certificate information or ignoring it. I still might need to ask the developer to implement a feature to support mocking.

SOAP request logging Tomcat 7 Axis2

We are trying to log all http requests made to our Tomcat server, in particular SOAP requests.
Our server setup is as follows:
Tomcat 7.0.11
Axis 2
Gentoo Linux
So far we have used the RequestDumperFilter class however this only shows us the header information.
What we require is the ability to view the request body containing the SOAP request XML.
I guess you could make use of some request processing components but I'm not sure if there is an easy way to view the request body in Tomcat.
From what I know, the ExtendedAccessLogValve provides the most information about the request but even this is missing the body.
The most simple solution would be to move the logging away from Tomcat and use a proxy server. You place the proxy between the server and it's clients and do the logging in the proxy.
Proxy receives request, logs it, then forwards to Tomcat which generates response, sends it to the proxy which logs it and then sends it to client. The simplest proxy I used (and did its job pretty well) was the Apache TCP Monitor.
Additionally you could look at something like Fiddler and see if that helps.