How to close API backend from "left" access?

D

danforth2016-12-16 09:45:12

API

danforth, 2016-12-16 09:45:12

When creating a Single Page Application, the frontend accesses the backend via the API. A problem arises: If the API is public, that is, it is designed to return content to guests (not authorized users), then we can no longer check authorization, which means that any attacker will be able to parse the site by sending a request to site.ru/api/ with a call to the getLatestPosts method . I understand that everything can be parsed, but I do not want this task to be so simple for an attacker. I want to understand how in such cases to determine whether the client request is real, or whether it comes from some kind of PHP parser, should there be some kind of verification methods?
Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

I

Ilya Karavaev, 2016-12-16
@Quieteroks

You can do as payment services do. There is a secret key known to your public and your "private" API server. The transmitted data is collected in a heap and hashed with a secret key. This hash for verification is sent as an additional parameter for validation on the private server side. Anyone who does not know the secret key will not be able to correctly compose the request.
Well, or you may well place the API server on the internal network with a public server, if the private one does not need access from outside.

_

_ _, 2016-12-17
@AMar4enko

DevMan answered you correctly - limiting the number of requests, synthetically increasing the server response time in case of suspicious activity. Basically, everything rests on behavioral analysis - if someone (an IP address or you can search for libraries for more complex heuristics for determining unique users) purposefully knocks on the same API endpoint, sorting through the pagination parameter, then you are most likely being parsed - we put this IP address in the list of suspicious ones and add a synthetic response delay of 3 seconds and a limit of simultaneous connections to it. And if he is persistent, then we completely ban

C

catanfa, 2016-12-22
@catanfa

In general, the correct answer to this question is no way . If you have a public api available to any browser, then you can tap it with simple software. If you put some kind of barriers, such as limiting the frequency of requests from one IP, some kind of cookies, etc., but everything will work from the browser, then from the parser, after a simple tweak by the attacker , it will also work. In the end, what's stopping me from just human hands "clicking" your entire site and saving all pages through File -> Save Web Page As .. ?
By the way, Yandex and Google search robots also scrape your site, and you most likely would not want to ban them.

A

Alex, 2016-12-16
@mr_ko

You can use JWT for authorization in the API.

R

Rou1997, 2016-12-16
@Rou1997

And it is very necessary - to protect?
And why just an attacker?
Here you generally write that you have a public API, and then write that you want to prohibit it from being used. :)
If you want to check whether the request is coming from a browser or from a parser, then check HTTP headers, if the parser is "crooked" then this will help, even better, use HTTPS with HSTS, and even better, switch from HTTP to another protocol, this will seriously raise the bar " to qualify the so-called "intruder".
In addition to the IP address, everything else is faked, in general, this entire IP-TCP-HTTP stack "should" do little, in the last century they did not think about such things, there are no much more necessary features in the TCP protocol.