Security for RESTful Web Services

Just as with a web app, you need to secure your web services to enforce authentication and authorisation.

Although web services are supposed to be stateless, if you are calling a web service from your own web app, you can use the session cookie from your web app to determine the authentication and authorisation for the web service in the same way that your web app uses it.

Alternatively you can use Basic Authentication, where the username and password are part of the URL. With Basic Authentication the username and password are sent in plain text, so you must remember to use HTTPS to ensure that these are encrypted during transmission over the network.

https://username:password@www.server.com/api/...