Is it possible to create a secure SSL'ed API that authenticates using a session ID within a cookie, includes a nonce as a query parameter, and always responds with a JSON 'Object' response? How effective would this be against XSRF attacks?
The goal of this API is to only be accessible by pages on the same domain, allowing for the exposure of private data like usernames and emails while maintaining simplicity for developers.
Here are some reasons why I believe this approach is secure, but please correct me if I'm mistaken:
- If a
<script>tag from a third-party domain tries to access our site, it won't be able to read the JSON object response. Additionally, all state-changing API calls require non-GET methods to prevent any malicious attempts. The lack of JSONP support is intentional to maintain security. - SSL with valid certificates prevents man-in-the-middle attacks targeting cookies.
- Replay attacks are limited by the use of a nonce to restrict the validity of HTTPS requests over time.
- XMLHttpRequest cannot make cross-domain requests, preventing unauthorized access to our site.
- CORS concerns are minimized by not advertising cross-domain support in HTML 5 files.
- Even if an iframe is embedded on a third-party site, the host site cannot access its data due to restrictions on cross-domain communication.
EDIT:
Using a nonce can also protect against cross-domain GET requests (like <script> tags). By requesting a nonce in a 'POST' API call that isn't nonce-protected itself, only XmlHTTPRequest's on the same domain can generate a nonce, making the process developer-friendly without requiring server-side involvement. Simply request a nonce from the API being developed against and use it until receiving a 'bad nonce' response, then repeat the process.