S
S
skippetr2017-10-30 17:23:53
API
skippetr, 2017-10-30 17:23:53

How to encrypt an api call so that the client cannot read it?

There is a client-server application. There is one api method (say https://example.com/api/test?q=123) that is sent by the client, but only when some conditions are met. For example, some inquisitive hacker will learn this method and will send such an api request when the conditions on the client are not met. Is it possible to somehow encrypt this request so that the server can check its validity and at the same time the client can form this request only if the conditions are met?
I don’t know how clear I described it, I honestly tried.

Answer the question

In order to leave comments, you need to log in

4 answer(s)
R
Rsa97, 2017-10-30
@Rsa97

And what will prevent a hacker from learning the encryption method and encrypting his request?
Everything that the client sends must be checked on the server, including the conditions for the admissibility of the request.

A
Alexander Taratin, 2017-10-30
@Taraflex

Communicate with the server using a self-written binary protocol by wrapping the whole thing in a websocket

A
Alexey Medvedev, 2017-10-30
@medvedhack

Make a system of tokens tied to a specific client. The simplest solution to request validation in 5 minutes:
1) Come up with a secret word
2) Hash it and the request from the client:

$keyword = 'шифровочка';
$q = '123';
$hash = md5($keyword.$q); //089580e98caf60967d356e5cc3b32046

3) Send a request: https://example.com/api/test?q=123&hash=089580e98c...
4) Check it on the server for the same word and if everything is OK, skip
This is all very rough, there are a lot of ready-made solutions and algorithms. You can see an example of OAuth.

A
Alexey Skobkin, 2017-10-30
@skobkin

The client is in the hands of the enemy.
You can't do anything about it. All that remains for you is to monitor the state on the server side and check there whether the conditions are met. On the client side, all these checks can be considered validation for the convenience of the user - nothing more.
No encryption will help you (this does not mean that the API should work over open HTTP, of course).

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question