📅 最后修改于: 2020-10-20 04:39:08 🧑 作者: Mango
由于RESTful Web服务可与HTTP URL路径一起使用,因此以与保护网站相同的方式来保护RESTful Web服务非常重要。
以下是设计RESTful Web服务时要遵循的最佳实践-
验证-验证服务器上的所有输入。保护您的服务器免受SQL或NoSQL注入攻击。
基于会话的身份验证-每当对Web Service方法提出请求时,请使用基于会话的身份验证来对用户进行身份验证。
URL中没有敏感数据-切勿在URL中使用用户名,密码或会话令牌,这些值应通过POST方法传递给Web服务。
限制方法执行-允许限制使用诸如GET,POST和DELETE方法之类的方法。 GET方法应该不能删除数据。
验证格式错误的XML / JSON-检查传递给Web服务方法的格式正确的输入。
引发一般错误消息-Web服务方法应使用HTTP错误消息(例如403)来显示禁止访问等。
| Sr.No. | HTTP Code & Description |
|---|---|
|
1 |
200 OK − shows success. |
|
2 |
201 CREATED − when a resource is successfully created using POST or PUT request. Returns link to the newly created resource using the location header. |
|
3 |
204 NO CONTENT − when response body is empty. For example, a DELETE request. |
|
4 |
304 NOT MODIFIED − used to reduce network bandwidth usage in case of conditional GET requests. Response body should be empty. Headers should have date, location, etc. |
|
5 |
400 BAD REQUEST − states that an invalid input is provided. For example, validation error, missing data. |
|
6 |
401 UNAUTHORIZED − states that user is using invalid or wrong authentication token. |
|
7 |
403 FORBIDDEN − states that the user is not having access to the method being used. For example, Delete access without admin rights. |
|
8 |
404 NOT FOUND − states that the method is not available. |
|
9 |
409 CONFLICT − states conflict situation while executing the method. For example, adding duplicate entry. |
|
10 |
500 INTERNAL SERVER ERROR − states that the server has thrown some exception while executing the method. |