Stack Overflow
Stack Overflow

Questions tagged [api-security]

39 questions
5
votes
1 answer

Remove security only for some requests wso2 api manager

Is it possible to remove security for some specific requests in my api list using WSO2 API manager version 3. For example, I have following requests /customer - post /products - get /customer/address - get In my case I don't need security for…
CLIFFORD P Y
  • 16,974
  • 6
  • 30
  • 45
4
votes
1 answer

How to secure API behind Kong Gateway for both pubic and internal traffic

We currently have multiple APIs that are not behind a gateway. The APIs that are exposed publicly use OpenID Connect for authentication and claims authorization. Some of the APIs are internal only and are network secured behind a firewall. We plan…
user3119533
  • 186
  • 1
  • 7
3
votes
1 answer

Is it safe to share domain restricted API keys?

I'm using Google's Perspective API and have an API key. I've restricted this to the specific domain I'm going to be using, but I would like to know if it's safe to release the key in my code? As this would be in the client's browser I don't want to…
DillonB07
  • 154
  • 11
3
votes
2 answers

Spring Boot API how to validate NONCE value sent in request header to avoid replay attacks

I have a Spring Boot application with custom authentication. I am intercepting the API requests using Servlet Filter and validating the request token sent. I am also requesting Nonce in request header from client which is a unique value sent from…
skool99
  • 780
  • 1
  • 16
  • 35
2
votes
1 answer

Secure API Call in React JS

I have an API that I want to make a request to from my frontend, which is built using React. However, I don't want anyone to be able to see the API call in my code, because if someone just opens the inspect window, then they can see the API call.…
Tejas_hooray
  • 606
  • 1
  • 6
  • 16
2
votes
2 answers

Secure API without a user registration - php/Laravel

I have an API in Laravel with mostly GET endpoints and an android application. The application is meant to be open without the need to authenticate, i.e like booking.com where you can browse hotels without the need to login or register. Anyone can…
Shuaib Jaff
  • 115
  • 10
2
votes
0 answers

Is code injection possible in R via functions that read CSVs or parse JSON from the web?

Web frameworks that inadequately sanitise inputs can be prone to SQL injection. Are R processes vulnerable to 'R injection' in the same way? That is, can someone (or some API) provide inputs to R functions (especially those that can read from the…
stevec
  • 41,291
  • 27
  • 223
  • 311
1
vote
0 answers

How to perform validation before decoding the raw JSON?

We are building an API Framework in PHP (Hacklang) and will be using json-schema from OPIS to implement validation of JSON input in the request body. OWASP recommends implementing validations on minimum and maximum value range check for numerical…
Naveen Santhanavel
  • 369
  • 3
  • 13
1
vote
2 answers

Managing remotely-generated API keys with Ansible

I'm using ansible to provision a particular service, and before I can interact with it I must first generate an API key. But I can't predefine that key in my playbook (as a secret) - it is generated by the server, returned to me once, and will never…
lonix
  • 14,255
  • 23
  • 85
  • 176
1
vote
1 answer

How to know the secret key of JWT and where to store it on windows server

I am trying to implement JWT authentication in my Web API. I am doing this for the first time. When I Googled some tutorial, the first step is showing up to save secret key in appsettings.json file. I am stuck at that place itself. How will I know…
Nilesh
  • 518
  • 1
  • 9
  • 26
1
vote
1 answer

Is it enough to use JWT when there is only one user role for API-Security?

I will be developing a mobile app, and for this, I have read a lot about API Security and gotten a little confused. If my app makes a request to the API, is an authentication enough or do I also need the authorization since I only have one user…
erhhhh
  • 27
  • 3
1
vote
1 answer

How to prevent attackers from using my password reset mechanism to email bomb people?

My web app has a pretty standard feature that allows a user who forgot their password to reset it by sending themselves a password reset email with a link to the page to create a new password. I'm concerned that person1 could use this page to harass…
Joshua Frank
  • 13,120
  • 11
  • 46
  • 95
1
vote
0 answers

Authenticate API in .net core using ping identity OAuth2.0

Problem Statement : I want to secure APIs using ping identity OAuth 2.0. I am following this blog but I get 401. I have configured in postman tool with OAuth2.0 with details provided by ping identity team and I'm able to generate the token but the…
Ishan
  • 4,008
  • 32
  • 90
  • 153
1
vote
2 answers

How to tackle bots in REST APIs

I have a mobile application where users give advertise, other users view and accept it. Recently, I began to notice that bots started to give their own advertisements. I have moderators but there a so much advertisements that it is impossible to…
Olav
  • 51
  • 1
  • 6
0
votes
1 answer

Enhance the security of ASP.NET Core Web API unauthorized get endpoint

I have the scenario where there is one web (Admin Panel) and another is front site on another domain. Now I want to provide the facility of "Impersonate" where supper admin can gain the access of his company's user's access and access whole site…
Mihir Shah
  • 948
  • 10
  • 17
1
2 3