Answer the question
In order to leave comments, you need to log in
C
C
Crash2018-06-07 18:20:46
Crash, 2018-06-07 18:20:46
How to secure a project with a completely separate front-end and back-end?
I am working on a project in which the front and back parts are completely separated, located on different servers and communicate with each other exclusively through the API. The frontend is written in React by another developer.
I am responsible for the backing, I had no experience of working with such a scheme before.
Accordingly, I am concerned about security issues, tk. this is my area of responsibility.
In particular - how to make authentication secure?
So far I have done this: for example, when logging into a personal account on the server, a token is generated and stored in the database, given to the front, it saves it in cookies or local storage, with each GET or POST request, this token is transmitted to the back, compared with what is saved in the database and if it is found, then further actions are allowed. The token is associated with a user ID and has a limited lifetime.
How safe is it and how to protect yourself from request forgery in general?
What other security issues need to be addressed?
2 answer(s)
@Bandicoot
Exactly everything is the same as with a monolithic application.
write normal code without holes in the form of sql injections and all that.
It doesn't matter if it's fake or not.
Requests look the same when sent from the site, and if sent, for example, by some "intruder" script.
If you need protection, then do an authorization check and a limit on the number of requests.
You won't do anything else.
In general, the separation does not turn the entire site upside down, it is still the same site with standard "threats" and protection against them.
@marataziat
A
Alexander Aksentiev, 2018-06-07 @Bandicoot
What other security issues need to be addressed?
Exactly everything is the same as with a monolithic application.
write normal code without holes in the form of sql injections and all that.
It doesn't matter if it's fake or not.
Requests look the same when sent from the site, and if sent, for example, by some "intruder" script.
If you need protection, then do an authorization check and a limit on the number of requests.
You won't do anything else.
In general, the separation does not turn the entire site upside down, it is still the same site with standard "threats" and protection against them.
M
marataziat, 2018-06-07 @marataziat
1. It would be good to read OWASP.org to know what SQL injections and XSS are.
2. Stop making a bike, when you make it again and again, the likelihood of crap increases, so use frameworks. For example django-rest-framework
Similar questions
M
F
A
V
Vetal Matitskiy2019-04-27 17:12:40
What technologies can be used to work with Facebook Open Graph?
0Reply
N
Nikita2019-04-29 23:43:30
What to choose for the graduation project - monolith or microservices?
5Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question