Questions about the Web Dev module

Bushmatic · March 13, 2024, 3:23pm

I'm trying to get a firm understanding of the Web Dev module, and some ideas are still a cloudy in my mind, so I'm hoping someone might be able to help clear things up.

I found the below post on the forum which explains things pretty well. But, looking at option 2: Let's say I want to provide our ERP system with an Ignition-based endpoint. This endpoint will act as a simple interface with which the ERP can check product data against our Ignition database before finalizing a shipment (the shipment "happens" in the ERP, but would rely on data from Ignition for this check).

What are the security implications or considerations of this? Is a signed security certificate (installed on the Ignition gateway) an absolute necessity in order for such a system to work?

My next step will be to figure out the ideal payload data to return when the API is called, but I figure that will come down mostly to what the ERP wants to see.

PGriffith · March 13, 2024, 3:46pm

If you are sending or receiving any kind of sensitive information, I would consider HTTPS an absolute minimum requirement. You don't need a "real" certificate, anything self signed will do (as long as you can get all the systems involved to trust it) but without HTTPS, your communication is clear text and anyone else on the network can listen in.

The actual level of credentials/authorization is basically up to you. Webdev currently only supports basic auth, which is generally not regarded as sufficient. You can do something as simple as generate a truly random sequence, encode it, and send it from the client as a header you verify in your endpoint. That's probably where I'd start.