What are the best practices for securing APIs?

V

Vlad T.2017-08-09 00:49:54

API

Vlad T., 2017-08-09 00:49:54

You need to make a service with an API that will receive POST requests from forms (in the public domain) on third-party sites. How are these requests usually authenticated?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

P

Philipp, 2017-08-09
@est

Common practices are described here https://www.owasp.org/index.php/REST_Security_Chea...
The authenticity of a request can only be verified when data is transmitted through the server.
Otherwise, you can rely on standard cross-site scripting protection mechanisms or banal referrer checks. However, such trifles are faked at a time.

X

xmoonlight, 2017-08-09
@xmoonlight

There are 3 types of APIs:
1. Public - publicly available with known parameters when requested.
2. Private (authorized access) - publicly available with known parameters upon request, but with a key (password token) or certificate.
3. Closed - proprietary clients with their own private exchange protocol with the server API.
JS in the browser is only 1.
If not 2 or 3, then it remains 1.
If MEGA is stupid (for point 1): you can check the duration of the session at the time of the POST request to the server and, if the duration is less than the fastest filling time forms by a person in manual mode, consider the data unreliable.