Some best practices for web services
These practices are tested by this page.To test your web service, enter some example URLs in the box below.
Use both valid URLs, and URLs that should get a "not found" or other error response.
URL:
- Serve the response header:
Access-Control-Allow-Origin: "*"</a>
. If you omit this, then a javascript client will not receive a response. - Serve it on all responses, not only successful GETs.
- Ensure the response is well formed.
Use a standard marshalling library for XML or JSON,
since home grown code often escape incorrectly.
Test this by replacing the variable parts of your request URL
with an
attack sequence, e.g.
'&{<
. - Provide standard HTTP status codes, e.g. 404, 403, as well as providing an error message in the payload. Test this by trying a URL with a "not found" response.
- Provide a machine readable payload in error responses. Do not revert to HTML. Test this by trying a URL with a "not found" response.
- Provide appropriate response headers.
If your service performs database lookups,
then provide a
Last-Modified
header orETag
. If this is not appropriate,Cache-Control: no-cache
is probably needed. - Provide the correct mime type for your response,
either
application/xml
or <code>application/json . - Support HEAD requests.
- Offer a version of your service over HTTPS. Pages served with HTTPS cannot access HTTP services by AJAX, they will receive an uninformative error message. Ensure that your SSL certificate is accepted by browsers. This is a moving target. Do not allow it to get out of date. If it is rejected, a javascript client receives an uninformative error message.
- Identify the appropriate security concerns. Do the responses include confidential information? Can requests be confidential, e.g. trade secrets? Is there a serious risk of a counterfeit of your service? If not, offer a version of your service over HTTP. This is easier to use within HTTP pages.
- Do not redirect from HTTP to HTTPS. Unless everything else is right, browsers will not follow such redirects.
- Support OPTIONS requests.