0

My colleagues and I are developing a public web application with client and admin access.

I'm concerned about security, being the application public. I would like to add every layer, as long as it's useful and really provides security.

I thought that preventing the client access being the same as the admin access, would add one of such layers.

One idea idea is to create subdomains for each, like client.app.com and admin.app.com, though each subdomain points to the same site.

I'm picturing a scenario where an admin user name is trying to access from the client interface, then the source IP could be blocked.

The application counts with authorization and access control of the resources and routes.

Is this a good approach concerning security?
Should we add some other layer of access control?

We are using the Laravel framework.

schrodingerscatcuriosity
  • 101
  • 3
  • 1
    *"I want to prevent the client access being the same as the admin access"* - I might be better if you don't just state what you want but why you actually want it, i.e. what you want to achieve with such a separation. Is this just because it feels nice, because its more usable, because it provides better security ... – Steffen Ullrich Apr 04 '22 at 06:06
  • @SteffenUllrich You are right, some explanation is needed. I'm concerned about security, being the application public. I would like to add every layer, as long as it's useful and really provides security. The subdomain specific access was just and idea, not sure if a substantial one. I'm picturing a scenario where an admin user name is trying to access from the client interface, then the source IP could be blocked. – schrodingerscatcuriosity Apr 04 '22 at 06:39

1 Answers1

2

Splitting into subdomains for two unique login pages could get complex and technically would double your exposure in terms of attack.

It would be fundamental to focus essentially on access control permissions as well as authorization concepts. The main objective would be to design granular permissions over the resources in your web application and assign them to defined roles so that you have strict controls denying access over certain attributes. You can look this resource from OWASP to have more specific details.

raDiaSmO
  • 309
  • 1
  • 5
  • Thanks, the application has authorization and access control, but I would like to add all the adviceable layers of security. – schrodingerscatcuriosity Apr 03 '22 at 23:40
  • 1
    *"Splitting into subdomains for two unique login pages could get complex and technically would double your exposure in terms of attack."* - would it? There is no need to use a different code base for different domains. Moreover using different domains will result in implicit separation using the browser Same Origin Policy and thus might actually enhance security without much efforts. – Steffen Ullrich Apr 04 '22 at 06:01