Some best practices for web servicesThese practices are tested by this page.
To test your web service, enter some example URLs in the box below. Use both valid URLs, and URLs that should get a "not found" or other error response. URL:
- Serve the response header:
- Serve it on all responses, not only successful GETs.
- Ensure the response is well formed.
Use a standard marshalling library for XML or JSON,
since home grown code often escape incorrectly.
Test this by replacing the variable parts of your request URL
attack sequence, e.g.
- Provide standard HTTP status codes, e.g. 404, 403, as well as providing an error message in the payload. Test this by trying a URL with a "not found" response.
- Provide a machine readable payload in error responses. Do not revert to HTML. Test this by trying a URL with a "not found" response.
- Provide appropriate response headers.
If your service performs database lookups,
then provide a
ETag. If this is not appropriate,
Cache-Control: no-cacheis probably needed.
- Provide the correct mime type for your response,
application/xmlor <code>application/json .
- Support HEAD requests.
- Identify the appropriate security concerns. Do the responses include confidential information? Can requests be confidential, e.g. trade secrets? Is there a serious risk of a counterfeit of your service? If not, offer a version of your service over HTTP. This is easier to use within HTTP pages.
- Do not redirect from HTTP to HTTPS. Unless everything else is right, browsers will not follow such redirects.
- Support OPTIONS requests.