Security

Consider the following topics when you are doing security planning for Web Services.

Security layers for communication

When you are using the FTM Web Services runtime environment in a production environment, consider securing the communication between the client and the service.

Web services security has the following security layers:

Transport Security: Typically, this security is based on a Secure Sockets Layer (SSL) and is accompanied with client authentication that uses HTTP basic authentication.
Message Level Security: Secures the message by ensuring the integrity and confidentiality of the message contents.

For FTM Web Services, IBM® WebSphere® Liberty provides the capabilities that are needed to use each of these security layers. Consider applying one or more of these security levels in a production environment.

HTTP response header

A default HTTP response header is appended to each web services response. You can customize the response header that is used for the web services by changing the HTTP Response Headers property on the system properties page.

Encode or escape output properly

These web services are provided for your applications to use. However, the web services do not modify the data values that they return. You must determine whether your application needs to escape or encode any of the values that are returned by the web services.

The following list shows some examples of when an application might need to escape or encode the data that it receives from a web service.

A browser-based application needs to escape characters that might be interpreted as JavaScript and rendered in the browser.
An XML-based application needs to escape data that might be interpreted as XML tags.

For more information about encoding and escaping output, see the OWASP website: https://www.owasp.org.