Menu
I have 2 servers in place, one is responsible for the front-end application and the user authentication. This server is rendering a single page application coded in javascript. This javascript app is rendering data from a second server through a REST api hosted on this second server.
I would like to secure this second server. I would like to have only the frontend application being able to call the backend server.
At the moment anyone can call the rest api from the browser to query the data.
Thanks for your help.
219
All API calls should be made using HTTPS, which encrypts the channel using TLS certificates. Unfortunately, an attacker can easily add fake trusted certificates to his device and decrypt and manipulate API calls using man-in-the-middle attacks.
Every web API should use TLS (Transport Layer Security). TLS protects the information your API sends (and the information that users send to your API) by encrypting your messages while they're in transit.
REST APIs use HTTP and support Transport Layer Security (TLS) encryption. TLS is a standard that keeps an internet connection private and checks that the data sent between two systems (a server and a server, or a server and a client) is encrypted and unmodified.
The concepts have been since the beginning of the web, yet have somehow lost their way in modern REST API that drives a Single Page Application or Mobile Applications. Here’s how to guide clients based on state by moving more information from design time to runtime.
Below given points may serve as a checklist for designing the security mechanism for REST APIs. 2.1. Keep it Simple Secure an API/System – just how secure it needs to be. Every time you make the solution more complex “unnecessarily,” you are also likely to leave a hole. 2.2.
REST API Security isn’t an afterthought. It has to be an integral part of any development project and also for REST APIs. There are multiple ways to secure a RESTful API e.g. basic auth, OAuth, etc. but one thing is sure that RESTful APIs should be stateless – so request authentication/authorization should not depend on sessions.
REST APIs are based on URIs and the HTTP protocol, and use JSON for a data format, which is super browser-compatible. REST APIs can be simple to build and scale. Rest-APIs is a modern architectural model that is used in web services. It is unlike the previous protocol HTTP and SOAP XML. Security is a major concern to build RESTful web services.
Anything that the javascript app can do in the browser client can be seen by and done by somebody else to access your back-end REST API server outside your app.
Actually, the fact that the client app is implemented in JavaScript is insignificant - any application that executes on a machine outside of your control cannot be fully trusted. It's a little bit more difficult to reverse engineer native code exectuable than to ViewSource on a javascript app, but not impossible. Never rely on security by obscurity.
Your best option is to have the browser app require the end user to log in and obtain an auth token from a trusted identity provider, and present that auth token in every request the browser app makes to the REST API. The REST API can then validate the auth token to see if it came from a trusted provider and whether the user named inside the token is authorized to use the REST API.
This ties the authorization of the REST API calls to the user instead of to the app, and makes use of secrets (user credentials) that do not reside in the browser app for all the world to see.
With this in place, you can restrict access to your REST API based on which user is making the call. You can still also filter access based on which app is making the request, but this should be a minor point, not the primary security factor, because it is easier for the application description to be copied than the user credentials.
Another option might be to have your web server act as a proxy to your REST API service so that the browser app must go through the web server to get data from the REST API. This might be viable if the browser app maintains session state that the web server can verify to determine that the request is from the bona-fide app and not from somebody else. While this may allow you to keep your REST API off the public network, it doesn't really change your authorization problem - you've just moved it to the web server where you might have more session context to distinguish an in-app request from an interloper request. Tenuous at best, not recommended unless you're really confident in your app session state.
Regardless of what solution you choose, the fact remains that if your REST API is accessible from a client-side application (browser or otherwise), it is a public REST API and should be treated (and fortified) as such. There is no such thing as a private web API that can be accessed from a client machine.
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
