How unsecure is it to publish a public post service with receiving base64 values in json payload?

Hi guys,   We have a post service receiving pdf's as base64 values in json payload. There is no authorization set in this service because there is used a third party service herefore, which i use later in the MF.   Now I am wondering, could anybody execute a "Man in the Middle" attack to capture the base64 value in the http header? I think this is possible (don't know how exactly, but seen there is not a direct authorization request for the post service).   How should I secure the base64 string then which is sent in the header? Sending as binary and then absolutely with an authorization? What do you guys do in such case.
1 answers

Data that you transmit in the header can be secure as long as provider of the service uses https. I'm assuiming you are calling another service, if that service is accessible through https:// your data in the headers and body is safe.

With an https connection only the url is visible (so never put a username and password in the url parameters). But the body is alway secured from people listening in.


You are referring to a man in the middle attack, that can always happen no matter how you secure it. Somebody an always sit in between the two services and attempt to relay the information. The trick is to detect this.

If you are using http (not https) you cannot detect a man in the middle attack, everybody can listen in to your requests intercept and forward them. Simply put http is not secure.

When using an https connection all data is secured in the connection and when setting up the connection an application should validate if the certificate from the publishing party is trusted and matches the url. If the certificate is know and exactly as expected the url can be trusted, a 'man in the middle' can't both have a trusted certificate and pretent that he is the actual receiving party. Mendix natively does all the certificate and url validation.

So as long as you don't change any of the advanced security parameters, and if you always use https your data is safe from people listing in.  (for more on how/why I'd suggest researching the attack Mendix isn't any different).


Authorization is a different case, if you don't have authorization on the service anybody can call the service regardless of your security.