Access to the API(s) should be secure. Quisper® can connect only to providers that have the following properties:
- MUST host the API(s) on an HTTPS connection
- MUST use a valid SSL certificate for the HTTPS connection
- SHOULD enable CORS by sending the header Access-Control-Allow-Origin: * with all responses
Item 1 ensures that all data and headers are sent over an encrypted channel and cannot be read or modified. This is crucial for the Quisper token, which should not be shared with any other party.
Item 2 prevents some types of man-in-the-middle attacks, where an attacker poses as the provider to intercept all data. A provider should accept a connection from Quisper on the condition that the provider:
- SHOULD verify the token that QSP sends to indicate that the request originates from Quisper
- MAY inspect the HTTP ‘Host’ header to verify that the request originated from a Quisper server
- MAY inspect headers sent by Quisper to find what user made the request
- SHOULD NOT require additional client authentication
In item 3, if the API is not public and open, the token sent by Quisper allows a service to accept connections only from Quisper.
Item 4 consists of an additional optional verification to the same effect. The client application or Quisper may send additional headers to indicate which user connected to the service, allowing the service to differentiate responses to different users.
Item 6 ensures that users will not have to implement multiple security protocols to make use of a provider.
Quisper will take care of the authentication so that providers do not have to. Potentially, user authentication, which is usually part of the webservice outside Quisper, can be removed if the provider verifies the request originates from Quisper.