0

I am currently learning Node.js (with Express) and so I have a simple API app living on Heroku. My idea is to have the Node app that's serving my REST API endpoints living on Heroku, provided by a subdomain such as api.example.com and my frontend living on Vercel with Next.js on the main www.example.com domain.

How can I secure my api endpoints (not the one's that need login, such as POST or DELETE requests but the general GET requests serving the data that's visible to all users without logging in and to avoid anyone could access my data from my api).

When using e.g. a headless CMS you'll generate an access token you'll add to your frontend app, but how do I best do this? I read about helmet, but not sure if this is enough?

Edit to clarify my needs:

  • I want a decoupled backend / frontend setup
  • My Node backend is on Heroku and served via api.example.com
  • My frontend is using Next.js, running on Vercel and is on the main www.example.com domain
  • My app is quite similar to Eventbrite (it is not about events, but has a similar core functionality, so basically a simple CRUD app)
  • There are restricted routes where users need to register and login to perform actions such as POST or DELETE requests (e.g. add events, delete events, bookmark events)
  • The frontend lists those events and every website visitor can view those events from the home page as well as on dedicated routes, e.g. /events/id-and-name-of-event but they need to login if they want to perform various actions (such as delete events if they were added by them or bookmark those events)

What I am afraid of is simply that someone accesses my data from my api and use them on their homepage. That's why I think I need to secure my endpoints to avoid other sites / apps from scraping (from) my api.

Christoph Berger
  • 341
  • 1
  • 4
  • 16
  • have you tired jwt token? – Sven.hig Jul 09 '20 at 14:46
  • @Sven.hig Thanks for asking. I always thought JWT is for user authentication only, so e.g. to allow or prohibit several routes of your app? (Please note — In my app most normal `GET` routes will be available to everyone.) – Christoph Berger Jul 09 '20 at 14:52
  • you can't prevent the public from accessing your api data without some sort of authentication, you can specify that only your app users can access your get api but not anyone else, and you can do that with JWT token or you can also use passport local, if you use `passport` – Sven.hig Jul 09 '20 at 15:13
  • Thanks again. Tbh I am not sure if we are really talking about the same thing (no offense, I think I did not make it clear enough!). Just to clarify — the app I am building is quite similar to Eventbrite from its core functionality. So I want to have a home page listing all items (= events), that homepage is visible to every website visitor, no matter if they are logged in or a registered user. – Christoph Berger Jul 09 '20 at 15:26
  • But if I do not secure my get api endpoint any other app or website could use my data and list the events on their homepage, so that's what I am afraid of. – Christoph Berger Jul 09 '20 at 15:33
  • From what understood in your last comment, what you need is a way to determine if the user accessing your api from your front end is a normal genuine user or someone scrapping your app and using your api for their own app.... is that correct? – Sven.hig Jul 09 '20 at 15:37
  • exactly, that's correct. – Christoph Berger Jul 09 '20 at 15:40
  • From what I know you,beside the obvious which is implementing CORS, your best bet is to use machine learning that learns how users interact with your app and then it detects abnormal behaviour, it works more or less same way as the google recaptcha algorithm,this type of algorithms takes into considerations many factors like how many api calls per ip address (too many api calls from same ip address is the a red flag)... – Sven.hig Jul 09 '20 at 16:07
  • Also you should consider using technics like `event throttling` and `debouncing `this will allow you to class any request that is faster than let's say 5ms as an attack and then will return false here is a link about this for more information [DDoS Attacks](https://stackoverflow.com/questions/20435553/how-to-protect-against-distributed-denial-of-service-attacks-in-node-js-with-soc),or you can use CDN service that provide DDoS Attack protection – Sven.hig Jul 09 '20 at 16:24
  • Thanks once again for getting back and your detailled explanations. Tbh though that sounds like an extensive task to do achieve what sounds like a "quick" security fix. Do services like Airbnb do things like that? I guess their service is no monorepo and decoupled as well... Again, thanks, much appreciated. – Christoph Berger Jul 09 '20 at 17:27

0 Answers0