At LinkedIn we believe we should always be putting our members first. The LinkedIn Platform is no different. To that end, we've compiled a definitive list of best practices to guide our developers when building applications on our platform. We've also made some changes to how OAuth 2.0 authenticated requests are made, ensuring even more security for your users.

Keeping Your Application Secure

By following the key points we've highlighted in our security best practices guide you can ensure that your application will be protected from some of the more common security vulnerabilities, such as having your API key/secret compromised or CSRF attacks.

Providing a Safe and Pleasant User Experience

In addition to keeping your application secure, it's also equally as important to develop your application in such a way that your intentions are transparent with your users. For example, requesting too many permissions from the user upon authorization or performing actions on unbeknownst to them create a bad user experience. Establish trust between your application and your users by following a few simple steps

Header-Based OAuth 2.0 Authentication

We've extended the security of our platform by now supporting header-based OAuth 2.0 authentication. While we will continue to support query-based authentication (passing the user access token as a query parameter), header-based authentication is our recommended means of making authenticated calls going forward.

Secure URLs

Over the next few weeks, our APIs will begin returning HTTPS URLs. This includes URLs pointing at LinkedIn sites, such as our API, Website, and CDN. This excludes any URLs pointing at non-LinkedIn sites, such as articles submitted via our Share API. Additionally, if you're still using OAuth 1.0a and are not using HTTPS, we strongly suggest that you make this change. We have therefore updated our API documentation to always use HTTPS in our examples.

-- Kamyar Mohager