WBISCT Pty Ltd – Enterprise Architecture Consulting and Training


Well, let’s break down the concepts of Web API and REST API first.

What’s a Web API?

By definition, a Web API (Application Programming Interface) is a set of rules and tools for building software applications. It allows different software applications to communicate with each other over the web. Essentially, it defines how different software components should interact.

Key Points:

  1. Communication: Web APIs enable communication between different software systems, allowing them to request and exchange data.
  2. Protocols: They can use various protocols for communication, including HTTP (Hypertext Transfer Protocol), SOAP (Simple Object Access Protocol), and more.
  3. Data Format: Web APIs can use different data formats for communication, such as XML (eXtensible Markup Language) or JSON (JavaScript Object Notation).

Now, what’s a REST API?

By Definition, REST (Representational State Transfer) is an architectural style for designing networked applications. A RESTful API, or REST API, is an API that follows the principles of REST. REST is not a protocol but a set of constraints and principles that define how web services should behave.

Ok, so what to retain from this:

  1. Stateless Communication: RESTful APIs are stateless, meaning each request from a client contains all the information needed to understand and fulfill the request. The server doesn’t store any client information between requests.
  2. Resources: In REST, resources (e.g., data objects or services) are identified by URIs (Uniform Resource Identifiers) and are manipulated using standard HTTP methods like GET, POST, PUT, and DELETE.
  3. Representation: Resources can have different representations, such as JSON or XML, and clients can specify the desired representation.

Let’s compare Web API and REST API:

Communication Style:

  • Web API: General term for APIs on the web, can use various protocols and data formats.
  • REST API: Follows the principles of REST, using standard HTTP methods and typically communicates using JSON.


  • Web API: Can be stateful or stateless, depending on the specific implementation.
  • REST API: Emphasizes statelessness, with each request containing all the information needed.

URI Structure:

  • Web API: URI structure varies based on the specific implementation.
  • REST API: Follows a resource-oriented structure with meaningful URIs.

Data Format:

  • Web API: Can use different data formats, including XML or JSON.
  • REST API: Typically uses JSON for data exchange.

In summary, all REST APIs are Web APIs, but not all Web APIs are necessarily RESTful. REST is a specific architectural style with its own set of principles, while the term “Web API” is more general and encompasses a broader range of API implementations on the web.

OK, but how safe are they then?

When comparing Web API and REST API security, it’s important to note that REST is an architectural style, and RESTful APIs are a specific implementation following REST principles. Security considerations can vary based on the specific implementation details, but here are some general points to consider:

Web API Security:


  • Web APIs can use various protocols for communication, including HTTP and SOAP.
  • Security measures depend on the specific protocol in use.

Authentication and Authorization:

  • Web APIs may employ different authentication mechanisms, such as API keys, OAuth, or custom authentication methods.
  • Authorisation mechanisms need to be implemented to control access to resources.


  • Depending on the protocol, data in transit may be secured using protocols like HTTPS (HTTP Secure).
  • Encryption helps protect data from being intercepted during transmission.

REST API Security:


  • RESTful APIs commonly use authentication mechanisms such as OAuth (Token-based authentication) or API keys.
  • Authentication tokens are sent with each request to verify the identity of the client.


  • Authorization is typically handled through proper design of resource URIs and using HTTP methods (GET, POST, PUT, DELETE).
  • Role-based access control (RBAC) or other authorization mechanisms may be employed.


  • The statelessness of REST can enhance security by reducing the chances of session-related vulnerabilities.
  • However, statelessness requires careful handling of authentication tokens.


  • Like Web APIs, RESTful APIs benefit from using encryption, especially HTTPS, to secure data in transit.

Common Security Concerns for Both:

Input Validation:

  • Validate and sanitize input to prevent injection attacks (e.g., SQL injection or cross-site scripting).

Secure Communication:

  • Use secure communication protocols (HTTPS) to encrypt data in transit.

Rate Limiting:

  • Implement rate limiting to prevent abuse or attacks that involve a high volume of requests.

Error Handling:

  • Provide informative error messages to developers but avoid exposing sensitive information that could be exploited by attackers.

Logging and Monitoring:

  • Implement robust logging and monitoring to detect and respond to security incidents.

API Versioning:

  • Properly manage and version APIs to ensure backward compatibility and avoid exposing deprecated or insecure endpoints.

In summary, both Web APIs and RESTful APIs share common security principles, such as authentication, authorization, encryption, and secure communication.

The specific security measures implemented will depend on the API’s design, protocols used, and the level of sensitivity of the data being transmitted.

It’s crucial for developers and API providers to stay informed about security best practices and continually update and monitor their systems for potential vulnerabilities.