Secure Communication Requirements
To ensure secure communications between the client and server, you must provide these security measures:
- Sender Authentication: A receiver needs to know that a message came from a trusted entity.
- Message Encryption: By encrypting the message before transmission and decrypting the message when received, you prevent man-in-the-middle attacks.
Secure Communication Options
You can choose to secure your communications using one of these methods:
- JSON Web Token
- JSON Web Tokens (JWTs) are digitally signed JSON objects based on the open standard RFC 7519. These tokens provide a compact, self-contained method for securely transmitting information between parties. These tokens are signed with an RSA-encoded public/private key pair. The signature is calculated using the header and body, which enables the receiver to validate that the content has not been tampered with. Token-based applications are best for applications that use browser and mobile clients.
- HTTP Signature
- Each request is digitally signed, or the entire request is digitally hashed using a private key. Both the client and server will have the same shared secret, which enables each request to be validated on either end. If the request transmission is compromised, the attacker cannot change the request or act as a user because they do not have the secret. HTTP signatures can be used only with API requests. They cannot be used in browser or mobile applications.