Okay, this is the case, I use coinmarketcap.com to get prices of cryptocurrencies for that to work I need to provide the API secret that they provide with the token that I need the price of so I implemented this logic on a NEXTjs API route and returned the price from that route. Now when I want to assess the price of this token from the client side I need to pass the token in the body of the POST request that is going to the API route that I just made
Now my problem is how can I secure this route such that only the frontend code that I wrote can access this API route
Please help me with this I am new to backend development so any help is hugely appreciated
Related
Visual Explanation
So basically I have an Express REST API that handles login and everything, I need to create a new service in NextJS that will handle some features, BUT, I wish to use the capability of NextJS of making a request to its own API and only then send the request further to my Express API, further adding an extra layer of security.
My current setup is that I am making an axios POST request from my proxy api to my express api, I receive all my account details and everything, I received my session cookie, but how do I manage to set it? So far I tried sending it to the front separately and set it there, but that does not seem to work.
To be mentioned:
I do have "withCredentials: true" for axios in order to persist the session and make further requests using the cookies token.
I have a Lambda function which triggered by API Gateway service, however this API is accessed by front-end application, this application not requiring the users to login or sign up to use it.
However I would like to secure my API to allow only from my front-end application.
After my research I found that I can use custom authorization in API Gateway, this custom authorization will check the authorization header of the incoming request and validate it.
the question is, can I use Amazon Cognito for something like this(implicit grant type)?
if not what is the thing that the front-end application will send to me to be validated and how can I keep it always changeable, so no one can guess it?
Thank You.
You could check the headers, but if they're always the same, someone can send an HTTP request with those headers - from any client - and trick your Lambda into thinking it's coming from your UI.
Even if you generate a unique token every time your UI is loaded and include it in the headers, someone could take that token and send requests from another client as well.
You could build fancy JavaScript tricks to make headers more dynamic, but it would only make it harder to use your API from another client, not impossible.
I made a site using Foursquare API, and want to publish it on my personal homepage, but I have the security concern with my Foursquare SECRET.
I used ajax request in a JS file using the following format of URL, and I'm afraid clients would be able to read my Foursquare ID and Secret:
https://api.foursquare.com/v2/venues/search?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&v=20180325&ll=lat,lng&query=cafe
I did search for a way to restrict accessible URL like Yelp does, but Foursquare doesn't seem to provide that method. What are the best way to secure my Foursquare Secret either/both on client-side or/and server-side? (I do not have much of a knowledge on back-end, but if a detailed information is provided, you'd be much appreciated, thank you all)
The easiest way would be to use the users token instead of your Client_ID / Client_Secret.
https://api.foursquare.com/v2/venues/search?oauth_token=someUsersToken&ll=lat,lng&query=cafe
Your app is linked to that token.
Another suggestion would be to use a server as a proxy. Send all request from your app to your server then have your server make the request to foursquare, injecting the client ID and secret, then send the foursquare response back to your app.
Problem I see with using the user token exposed is, they could potentially use that token to impersonate your app with requests to foursquare.
You can check here for more info on foursquare's authentication.
https://developer.foursquare.com/docs/api/configuration/authentication
I made a web api that does that follow services:
Returns the list of current job openings of the company (GET)
Apply on any job that is currently opened (POST).
The API is then consumed by an angularJS front end. Most of the authentications that I found from the web requires login but our website doesn't so I can't really use token bearer.
What are the list of things that I must implement or consider? are there any threats and how do I get around them?
You can probably add a ClientId/ClientSecret to your SPA and somehow securely send it as part of every request probably a AngularJs interceptor will help.
On the webAPI side accept only those requests that have a valid clientId, do that probably using a filter.
A similar infrastructure is explained here http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ (clientId,ClientSecret part)
Hope this helps.
I am building an API that is going to be used by a partner's website. The website will be in the same domain (api.example.com and www.example.com). In the future we might have a mobile app that will consume this API.
I would not like to have someone using my api for their own website/app. So I would like to have a way to validate my website to my API.
I've searched in SO and found out that I would have to set a Cookie in my website so I send it every ajax request. Fair enough, but how would I generate this cookie? If I call a method in my API, I would have to validate it's origin, so it wouldn't solve.
I could set an encryption key on both sides and encrypt some information with a salt and send to the api to check the information.
I am not a security expert, but it seems it would solve my issue. Is this correct?
When a user logs into my website, would it be safe to change this validation with the user's login token?
thanks!
What your describing is called a CSRF (Cross Site Forgery Request).
To prevent someone from accessing your API's from outside your request, your website should store a token within the session, pass this token for every API request, then the API should validate the token.
There is a ton of good articles on the subject, including many specific examples.
Here is one of them preventing-cross-site-request-forgeries