1

Say you're developing an application which consists of a backend HTTP API, which serves a frontend UI. The UI, upon being rendered on the client's browser, will need to make certain calls to the backend (e.g., fetch data for views). However, all these calls are can be checked on Chrome's developer console, for example. This exposes my application's overall logic and internal API endpoints.

Is this a concern for a web application? I looked around some other websites (e.g., Reddit) and I was indeed able to check an API call was being made and I even managed to reproduce it via cURL, getting the same response back.

My first idea to solve this would be to encrypt all data and have it decrypted internally in the frontend app. However, I don't think this would provide much security since the private key would have to be hardcoded in the app's source code, which can also be checked by modern browsers. Besides, this could greatly impact the application's performance.

The best I could think of was to somehow assign a token (JSON Web Tokens, maybe?) to the session (which in turn is assigned to a user). This token would be needed to make the API calls, and maybe it could have a short expiration time. However, the token can still be seen in the HTTP request.

Any ideas?

Sasha Fonseca
  • 2,257
  • 23
  • 41

1 Answers1

0

I am using bcrypts => https://www.npmjs.com/package/bcryptjs + jsonwebtokens in my MEAN app for the same. Bcryptjs creates a salt at the server side and send an encrypted token to the client. The same token is used for API calls. This makes decoding a bit harder for any phishing attempt.

Use HTTPS instead. => Are querystring parameters secure in HTTPS (HTTP + SSL)?

Himanshu
  • 835
  • 1
  • 13
  • 22
  • 1
    Thank you for your suggestions. I am indeed using HTTPS, of course :) however, I can't use the suggested package since I'm building the frontend in Elm, and I don't want to rely on external JS calls – Sasha Fonseca Oct 28 '17 at 11:24