Security in a private web service

Posted by Oni on Programmers See other posts from Programmers or by Oni
Published on 2012-03-28T20:59:49Z Indexed on 2012/03/28 23:43 UTC
Read the original article Hit count: 378

Filed under:

I am developing a web site and a web service for a small on-line game. Technically, I'll be using Express (node.js) and MongoDB+Redis for the databases. This the structure I came up with:

  • One Express server that will server as the Web Service. This will connect to the databases.
  • One Express server that will provide the web site. It will connect to the Web Service to retrieve and push the information.
  • iOS and Android application will be able to interact with the WebService.

Taking into account:

  • It is a small game. The information transferred is not critical.
  • There will NOT be third party applications. At least for the moment.

My concern is about which level of security I should use in each of the scenarios:

  • Security of the user playing through web browser
  • Security of the applications and the Web Server connecting to the WS.

I have take a look at the different options and:

  • OAuth and/or Https is too much for this scenario, isn't it?
  • Will be a good option to hash the user and password with MD5(or similar) and some salt?

I would like to get some directions and investigate by my own rather than getting a response like "you should you use this node.js module..."

Thanks in advance,

© Programmers or respective owner

Related posts about security