I was working on a project, and needed to make an API call to my website https://dashboard.lawliet.host/api/setcoins, it took in a header Authorization, which was the admin API key.
I obviously don't want the API key exposed to the user if they check the outgoing requests, or deobfuscate the program. What is a good and easy solution to get around this?
What I did think of what to hash the API key in this program, and compare it with the key in my server. According to me, this will work, but I do want to know if there's a better/easier way to accomplish it.
P.S: English is not my first language, so if anyone could edit this question and fix any grammatical errors, I would appreciate it.
Thanks,
MisuteriasuKe
Related
I am just testing an API that allows me to get the price of some cryptocurrencies, I wrote a express app and put it on Heroku. An API key is used, and I was wondering, if I were to make this link public, can someone easily steal the API key from the source or is that inaccessible?
https://obscure-coast-63470.herokuapp.com/acs
This is the link, I wanted to know if a hacker can get my API key from the source.
Thanks for the help.
I've created an api using .net core 2 and C#. I'm wondering if there's anyway to find out information about the computer or user that called the api. This is an internally used api so ideally I'd get the Windows user of where the api call came from, but if there's anything I can find out (like an IP address) I'd like to know how. If this isn't possible at all, I'd like to know so I can stop looking for a solution.
No, it's not possible. The server knows only what the client chooses to tell it, typically via request headers. However, the client can also lie, or "spoof" these headers. So, while something like User-Agent may look like it might give you some info about at least the OS/browser, all of that could be completely fabricated.
Matters are even worse with an API, as clients are typically thin, and the actual programmer or whatever connecting to your API must make a conscious decision to provide you with some particular bit of information, which most won't. A web browser typically sends certain standard things without user intervention, but even then users can change or alter what is sent.
I made a styled map in Google Maps and I needed an API key to make it work. I did it, and it workes fine if the API key is not restricted. If I restrict it on a particular IP or domain, it doesn't work, but this is not the problem I want to discuss here. I was wondering, why not leaving my key unrestricted? So i searched online and they said that a key shouldn't be unrestricted for security reasons, so they suggest to
store them in environment variables or in files outside of your application's source tree
I asked myself then, even if I put my API key in an external file, get it with php or whatever, wouldn't it be shown in the html's source code anyway? I mean, in the how-to page they say to write this code
<script src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap">
that's fine, but whatever is my way to set the YOUR_API_KEY, whether getting it from an external file or not, it will be shown on my html's source code anyway.
So,
does anyone know what they mean when they say to put the API key on an external file?
If i find a way to put it on an external file, can I leave it unrestricted? If so, what could happen (speeching from a security point of view)?
Leaving an API completely unrestricted is awful practice and should be avoided in almost every situation. All someone with malicious intent needs to do is find your API key and suddenly they have access to almost everything function that the API key gives you access to. Always restrict keys to the bare minimum.
Since you're going to be embedding the map into an iframe, that script is going to be run client side meaning there isn't much when it comes to hiding the API key but if you restrict a key to simply view maps (and any other functions that will be needed on the users side) there won't be any need to hide it and you can leave it in there as the docs show you.
The document you read on best practices for security with API's applies more to applications of the Google API where it is handling sensitive data or the key has access to functions that could seriously compromise the security of your application if accessed. This doesn't apply in the scenario you described with maps.
I have created an API and I would like to allow other developers to get the information from it. So the idea is to generate and assign API keys to everyone that wants to query our information. With API keys I can limit the daily requests and secure my data.
The thing is, I am concerned about the security aspect of it. Since the API key is going to be sent to our server (via GET/POST etc)?
I am looking for the best solution to handle this problem.
The solution in my mind is to use Asymmetric Cryptography to handle this.
Is it the right way to handle this? If not what is the best way.
Any help will be highly appreciated.
Im trying to make a REST api work with VB.NET (http://help.cj.com/en/web_services/web_services.htm#Commission_Detail_Service.htm)
This is CJ commission's API.
The problem I have is that Im trying to add the service reference https://commission-detail.api.cj.com/v3/commissions but its not working, and when I go straight to that address on the web browser, its asking me for the developer key, which I have, but I dont know how to enter it.
Does anyone have a sample code on how to connect to that API?
Thanks!
I guess you don't need it by this time, but still, for those who'll have the similar question and get to this page: you should pass your developer key as the authorization header of your request. Depending on how you make requests, it could look something like this in VB.NET:
HttpWebRequest.Headers.Add("authorization", "your_dev_key")