SCripted REST API best practices about passing parameters

Vasudhevan2 · ‎07-05-2024

We have implemented a scripted REST API of type GET. we are currently receiving the parameters required as part of the resource path (pat parameters). for example the resource path that we use is something like '/api/product_integration/products/{emp_id}/{ticket_id}'. Then we retrieve the employee id and ticket ID from the path parameters. Now there is requirement from Security team to move the parameters from the resource path to request body. This would need some development effort at both server and client side. I would like to understand, is there any security challenges with path parameters even with the end point being HTTPS and also the ServiceNow Table APIs seems to use similar format. Also performance wise which option is better, path params or request body. We have a significant number of API calls for this integration may be up to 10000 per day.

Looking forward to your suggestions and inputs.

Community Alums · ‎07-06-2024

Hi @Vasudhevan2 ,

Security challenges with path parameters - even with HTTPS the data can be exposed in logs, referrer headers, and browser history which can be a security constraint.

The performance difference both the approaches will be minimal. I would recommend to focus more on the type of data and security requirements.

For sensitive data, we should use request body parameters with POST requests and ensure the use of HTTPS to protect data while sending.

We should also follow the HTTP standards and best practices to ensure secure and robust API design.

If my response has resolved your query, please consider giving it a thumbs up ‌‌ and marking it as the correct answer‌‌!

Thanks & Regards,

Sanjay Kumar

View solution in original post

Kieran Anson · ‎07-05-2024

From a design perspective, my advice would be to think outside of SN and the tools that could interact with this API. Based on RFC 7231, GET shouldn't have a body. Although SN supports it, some tools that will interact with SN may not - which will cause poor interoperability

If you want to move to using the body to pass in information that'll be used to constrain a query, you'd be better off creating a POST endpoint

An easier ready than the IETF document is https://www.baeldung.com/cs/http-get-with-body

Community Alums · ‎07-06-2024

Hi @Vasudhevan2 ,

Security challenges with path parameters - even with HTTPS the data can be exposed in logs, referrer headers, and browser history which can be a security constraint.

The performance difference both the approaches will be minimal. I would recommend to focus more on the type of data and security requirements.

For sensitive data, we should use request body parameters with POST requests and ensure the use of HTTPS to protect data while sending.

We should also follow the HTTP standards and best practices to ensure secure and robust API design.

If my response has resolved your query, please consider giving it a thumbs up ‌‌ and marking it as the correct answer‌‌!

Thanks & Regards,

Sanjay Kumar

Community Alums · ‎07-06-2024

Hi @Vasudhevan2 ,

Get method is only use in retriving the information from the destination source, we can not send any body parameters in GET method for that we can use POST method.

https://swagger.io/resources/articles/best-practices-in-api-design/

Hence, moving parameters from the path to the request body can enhance security by reducing exposure in logs and caches. However, it requires careful consideration of your application's architecture, API design, and potential impact on existing clients and infrastructure. Work closely with your security team and development team to implement this change effectively, ensuring that security concerns related to path parameters are adequately addressed in the context of your specific application and environment.

Please mark my answer correct and helpful if this works for you

Thanks and Regards

Sarthak