API authentication, secure?

A

apasen2016-04-13 15:03:45

API

apasen, 2016-04-13 15:03:45

Hello!
Suppose there is an API server with authentication.
By and large, it doesn't matter how the authorization is implemented, HTTP basic auth, via Token or oAuth.
In any of the known methods, there is something that needs to be transferred to the server.
So the question is: How to be if you need to implement a client on the front (javascript for example) ??
After all, every student can open the source and pull out the token, key, login \ password from the context of the script.
Perhaps someone will say: That even if an attacker steals a token or a key, then this will not give him anything, the token must be tied to domains.
But, what will prevent me from making requests, will he say through CURL by registering the domain from which I stole the token?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

X

xmoonlight, 2016-04-13
@xmoonlight

What is the purpose?
Prevent other clients from accessing a REST service other than from a "native" browser client?
Replacing the names of sent variables through JS and double request-response (ajax, websocket) with each request to receive / send data to the server. (this option is the only one)

Z

Zakharov Alexander, 2016-04-13
@AlexZaharow

"the domain from which I stole the token" - the snag behind the small, how to "steal". All methods are aimed at difficulty. If the site's security is set up well, then "stealing" will be very difficult, but not impossible. This question is akin to the question of the perfect castle. But if the door can be broken, then no matter how perfect the lock is, it will not help. Therefore, in castles there is such a thing as counteraction time. From a few seconds to tens of minutes. And here the question is the value of the protected "property" and the ability of administrators to detect intrusion. But you need to prepare for such situations in advance.