2

I have a set of machines that I'm going to setup to push data to my web server over HTTPS at regular intervals. These units will automatically send requests using a script, so I plan on giving them configuration files with a username and long password for authenticating with my server.

Is there anything I should do in addition to user credentials to increase security? I'm not so much concerned about the security of the data as I am about unauthorized users getting access to my server. I figure I can try encrypting the the username/password, but I don't know if that will give me any additional security considering I'll be sending the requests using HTTPS.

Copernicus
  • 105

1 Answers1

4

You can consider implementing a different authorization scheme, notably OAuth with Bearer Tokens as a more robust (and, importantly, not self-invented) mechanism.

Also (or instead), you could consider setting up your server to require a client certificate in order to verify that anything accessing your restricted API is a genuine client (or has managed to at least steal your client cert). This might not be the best solution if only some of your endpoints require this security, as it would negatively affect "regular" users. If that's the case, it might be workable to setup a second API requiring client auth consisting only of the POST resources to be accessed by the automated scripts.

Community
  • 1
Dan1701
  • 3,108