Protecting a public API?

J

JRazor2016-10-02 00:07:06

Django

JRazor, 2016-10-02 00:07:06

Good day.
There is an API for AJAX requests. The bottom line is getting the message history for chats. But the chat will not be one, but many.
Actually, the question is: how to secure the receipt and sending of data as much as possible:
1) Only for GET requests
2) For all types of requests.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Daemon23RUS, 2016-10-02
@Daemon23RUS

Cryptography over everything.
Church leaders smoke on the sidelines.
And your imagination should not have limits.
Instead of http:// .... ?msg=Hello%20Worls&user=Vasya
Pass http:// .... ?crypt=sec5c243y5mc245ym28yer78ygx23784fp978213g4e79rfg2374xfn8623t4rtf1083t408t3

S

Sergey Pankov, 2016-10-06
@trapwalker

You can maximize the security by using https+session crypto key.
The client logs in to the server using the user's password. In response, the server sends a session key, which the client will add to ajax requests.
In order not to store the current session key of the client on the server, you can simply encrypt the time, IP and login of the client, the chat ID. Upon arrival of the message, we decrypt this data and check whether it is possible to give content to this. An updated session cryptokey can be sent with each response from the server. When overstaying, we force you to reauthorize or, say, explicitly request a new cryptokey.