5

There are database services offering access to the database via a HTTPS API, such as Neon and Algolia. This is great for serverless environments, but from a security standpoint, I’m curious if this setup effectively addresses the risks of exposing a public-facing database that can be accessed by any client.

The most secure approach I’ve found for direct access to publicly facing databases is to use a client certificate as an additional layer of security, alongside traditional credentials. When comparing these two approaches—using HTTPS API vs. client certificates—what is the more secure option? What are the specific security concerns or drawbacks of each method?

Improve this question
1
  • The database maybe readonly, accessed over a VPN. HTTPS is not automatically insecure. Commented Apr 23 at 14:54

2 Answers 2

Reset to default
9

While client certificates are a significantly more secure authentication for databases, the same mechanism can also be used for HTTPS APIs. But on top of that an HTTPS API could add more restrictions on what operations can be done with the database and more granular controls could be added compared to what the database offers by its own. This does not mean that all APIs will do this, only that it could be implemented.

Similarly while such APIs could add client certificate based authentication they don't need to. In this case they might provide weaker authentication compared to direct database access protected with client certificates.

And, like any additional software layer a HTTPS based API can have its own bugs and thus might introduce new vulnerabilities.

In summary: HTTPS based APIs in front of a database have the potential to provide more security in theory. But this does not mean that they always provide more security in practice. As usually, it depends on the specifics and can not be simply generalized.

Improve this answer
2
  • I would like to add that nearly any restrictions an API can impose on allowed operations can be achieved with the database on its own as well; except it's likely an order of magnitude more work due to not having any frameworks to do the heavy lifting of authorization checks. Commented Apr 24 at 15:03
  • @Logarr: this really depends on the capabilities of the database and the kind of restrictions you want. One could for example imagine different authentication methods, restrictions on content, integrations with zero trust access ... . Commented Apr 24 at 15:09
9

You're comparing apples and oranges.

Providers like Neon merely change how a (server) application accesses a database system: Instead of using the classical PostgreSQL client API to issue queries via TCP or Unix sockets, Neon lets the application use HTTP or the WebSocket protocol. The server application still has to authenticate towards the database system. Note that Neon-managed databases are not meant to be exposed directly to browsers or other public clients (despite the “serverless” label).

How this authentication happens is a separate problem. Neon currently supports classical passwords and session-based authentication. Maybe they'll add more options in the future, including client certificates. If you use the classical PostgreSQL client API, then you can also use password authentication – and a lot of other options like client certificates, RADIUS, Kerberos etc.

So it's not a question of “HTTPS API vs. client certificates”. There are two different issues:

  • The interface between application and database system – on the one hand, there's the standard PostgreSQL client API using TCP and Unix sockets; on the other hand, there's the Neon HTTP/WebSocket-based API
  • The authentication mechanism offered by the interface – like passwords, client certificates, Kerberos etc.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.