The REST service provides access to the objects in Kentico, so a potential attacker could obtain any data from the system or modify them.
You can secure the REST service using these authentication options:
- Basic authentication - it is strongly recommended to use SSL with this type of authentication. See Configuring SSL for more details.
- Forms authentication - this is the standard ASP.NET authentication.
The recommended option here is to use the basic authentication with SSL.
You can also use the Hash parameter authentication for authenticating individual REST requests. You only need to generate the hash in the administration interface and add the hash to URL. This URL then serves a particular REST request without the need of further authentication. Seefor more details.
The REST service should optimally check the correct authentication with every request. However, because of other services in Kentico (e.g., chat), which need some HTTP context within WCF, the checks are not performed every time. You can change this behavior by changing the aspNetCompatibilityEnabled key to false in the <system.serviceModel> section of the web.config file:
Note that setting this key also disables the chat functionality.
The best practice with REST is to assign a dedicated user to the service, grant the user permissions only for the desired objects, configure access through SSL and disable the aspNetCompatibilityEnabled mode.