wibeasley
commented
11 years ago REDCap API Security: Best Practices (a forum post)
This has some good material on using SSL certificates to prevent Main-in-the-Middle attacks. Rob suggested sending the followin gemail to all users with API privileges:
You are receiving this email because your REDCap user account has an API token associated with it for one or more REDCap projects. We just wanted to take a quick moment to let you know that we've now added an "API Security: Best Practices" section to the REDCap API help page in order to provide you with more information on how to utilize the REDCap API in the most secure manner possible.
The thing most emphasized in this new section is to remind you (API users) to always validate the REDCap server's SSL certificate whenever making an API request. If you are currently not doing this, it does not mean that your API requests are not secure. Rather it is a way to make your API requests even more secure. Validating an SSL certificate is often very simple to implement. If you are not sure how to do this or do not know what any of this means, please navigate to this new section on the API help page using the link below, which explains all of this in detail. Thanks!
To get a list of users with API permissions, run the following SQL
select distinct concat(i.user_email,';')
from redcap_user_rights r, redcap_user_information i
where r.username = i.username and
i.user_email is not null and
r.api_token is not null
order by i.user_emailRob's post doesn't quite finish connecting the dots for specific languages. Here are the steps we used to call the API using the RCurl package:
- Go to http://curl.haxx.se/ca/cacert.pem, copy the text in your browser
- Paste the text into a new text file. Rename it 'ca-bundle.crt' (without the quotes). Let's assume you've saved this file in './Dal/Certs/', where "." represents your working directory.
- In the RCurl::postForm() function, add the argument '.opts=curlOptions(cainfo="./Dal/Certs/ca-bundle.crt")' (without the single quotes).
Two other links that helped us were:
- http://www.omegahat.org/RCurl/FAQ.html (search for "When I try to interact with a URL via https, I get an error of the form" )
- http://stackoverflow.com/questions/6736895/using-rcurl-with-https
In the spirit of #8 and #10, I'd like to collect material about REDCap API and keep it in this thread, along with any accompanying comments that we have.
Also, if you're looking for issues related to API security, please scan Issue #10.
Important: Remember that this is a GitHub repository, and is visible to people outside OUHSC. Please don't post any material that has PHI, or material that can help someone get a step closer to REDCap PHI, such as usernames, tokens, or even URLs