I'm using Angular 10 in for an application. Is it possible to encrypt the request parameters/hide data? Anyone can see the Bearer token and the request parameters, can access the URL. I'm concerned about the application security.
Asked
Active
Viewed 2,962 times
0
-
No.everything the browser does is public. But why would that be an issue? Every user can only see his own bearer token.. – MikeOne Aug 25 '21 at 12:04
1 Answers
1
Please check out this answer on how the Auth2.0 works. And how it's not possible for someone to steal/sniff it over SSL here
The only way for someone to get it is if they are using your browser or machine.
In other words, if your application is secured by SSL you should not worry about the Bearer Token being compromised. All you have to do is lock your PC when you go away from it and no one will ever have access to your Token.
sephoro
- 150
- 10
-
what if the person who is using the app is a hacker and he can see the access token and the end point? what can we do to avoid that? – FadilaNuzha Aug 26 '21 at 04:20
-
Access tokens are unique to the user and usually expire after some time, especially if you are using OAuth please see [here](https://stackoverflow.com/questions/25838183/what-is-the-oauth-2-0-bearer-token-exactly/25843058#25843058) and [here](https://www.pingidentity.com/en/company/blog/posts/2019/oauth2-access-token-multiple-resources-usage-strategies.html). And yes every individual has access to their token, this is not a problem, it's like you knowing your password to your Facebook account, does it mean you are going to hack your Facebook? Unless I am not fully getting your concerns? – sephoro Aug 26 '21 at 12:06
-
Yes you are correct. We are using client based Oauth token not common token for all users. As an identifier for each user a specific length slug is used. If a hacker try all possible way of creating that slug, a bearer token can be generated and information can be accessed. how to overcome this issue ? – FadilaNuzha Sep 02 '21 at 08:20