Answer the question
In order to leave comments, you need to log in
How to secure rest api?
There is application number 1, it gives json. I want to protect it - so that the data is given only to my application number 2. Application number 2 is a regular html + js (vue.js). What are the options (if possible on the fingers).
The first thing that came to mind was the login and password that application number 1 will request before giving the data. As I understand it, the login and password will need to be entered into the Ajax request in the 2nd application? Or am I misunderstanding something, or... After all, this password can be easily seen in the source code? What are the options?
Answer the question
In order to leave comments, you need to log in
the classical approach, together with a request to give data that uniquely identifies the user (the login password is not transmitted with each request, because this is a potential opportunity to eavesdrop on this data, well, there is a performance problem, you will have to check the user database for each request, which is very expensive)
usually for identifying the user, the service creates a special "key" at the entrance (which the user keeps and transfers to the service with each request).
Previously, sessions were actively used for these purposes, which the server stored in its memory and verified the entered data with these sessions - but there are many problems with scalability and performance, so now the so-called "tokens" are actively used
data about the user is encrypted in such a token, upon receipt of the token, the server decrypts the data located there, does not check it with anything and DOES NOT STORE, this decrypted data specifically indicates whether the user has access rights or not.
these tokens can be passed to the server in the request as a parameter:
http://site.ru/data.json?token=your_token
but this method is considered bad because tokens remain in the browser history for example (well, get requests cut off the length of a possible link)
most passing tokens in the request header is considered a suitable way.
For more information about tokens, I advise you to look here: https://jwt.io/introduction/
Well, by default, the browser won't let you make an ajax request from another domain to your server unless the server sends a special header that allows cross-domain ajax requests. That is, in the simplest case, you can limit yourself to checking on the server for the fact that it was an ajax request that came to you, this is far from 100% protection, but it will limit most unwanted requests. Another csrf token is a good option
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question