I'm currently re-engineering an application from CSP pages directly accessing COS Methods, to an Angular/Material front end accessing a REST DAL. Both the Angular front end and REST services are hosted from the same Caché instance and the same namespace, but the REST services have their own CSP application, with all calls being routed through a Dispatch class.
I've come across an architecture issue recently, and am trying to assess the options I have. At present, we encode a call to a class which takes in an OID and returns the Stream to the browser. In the current application, this request is encoded using %CSP.Page.Encrypt, which performs the encryption and decryption of the string using the %session.Key. This won't work for the new setup, since the REST service creates and destroys the session automatically, so the string can't be decrypted
My current thinking of my choices are
- Implement a rolling encryption/decryption key myself, with an appropriate rollover period
- Send the OID in the clear, but implement a tracking class which generates a key value which must be included in the request, and will be revoked once the link has been accessed
- Send the OID in the clear, and increase auditing of the requesting session
Do we have any best practices, or alternative methods to secure this sort of communication?