0

Let's imagine the following scenario: web-app that calls an API. As the web app code can be accessed in the web-browser, we could say that anyone can replicate its code and start making calls to our API and we couldn't detect if it came from our web-app or not.

How do I prevent it?

Improve this question

1 Answer 1

Reset to default
1

Non-public REST services must perform access control at each API endpoint. Web services in monolithic applications implement this by means of user authentication, authorisation logic and session management. This has several drawbacks for modern architectures which compose multiple micro services following the RESTful style.

  • In order to minimise latency and reduce coupling between services, the access control decision should be taken locally by REST endpoints
  • User authentication should be centralised in a Identity Provider (IdP), which issues access tokens

You could also use an API Key. API keys can reduce the impact of denial-of-service attacks. However, when they are issued to third-party clients, they are relatively easy to compromise (if you aren't planning on doing this, there shouldn't be any problems with key hijacking).

  • Require API keys for every request to the protected endpoint.
  • Return 429 "Too Many Requests" HTTP response code if requests are coming in too quickly.
  • Revoke the API key if the client violates the usage agreement.
  • Do not rely exclusively on API keys to protect sensitive, critical or high-value resources.

You can read more good security practises on OWASP's official article.

I hope this helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

The API key can be intercepted in the client-side, so the attacker could replay the messages easily.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.