Highest Voted 'api' Questions - IT Security Stack Exchange

142

votes

24 answers

Why can't I just let customers connect directly to my database?

I'm pretty sure this is a stupid idea but I'd like to know why, so bear with me for a moment. Lots of the work backend developers do is providing CRUD access to customers via HTTP, essentially mapping data from and to the internal database.…

account-security mysql api

asked Apr 17 '20 at 12:45

Moritz Friedrich

1,455
2
10
10

62

votes

7 answers

Is exposing the server time a security risk?

If I create a servlet that would return the server time publicly (no need for authentication), would this be a security issue? I couldn't think of any issue with this, but somehow something tells me I could be wrong. To explain more, this end-point…

web-application api

asked Jun 08 '18 at 09:15

Manny

651
1
5
7

52

votes

2 answers

What is PKCE actually protecting?

I'm trying to get my head around how PKCE works in a mobile app and there's something I don't quite understand. So from what I can gather the client app creates a random cryptographically secure string known as the code-verifier. This is then…

rest api client oauth2

asked Dec 14 '17 at 11:56

TommyBs

657
1
5
7

39

votes

11 answers

Returning the wrong HTTP response code on purpose?

I'm writing a simple REST API, and I want to restrict access to my mobile-client only. In other words, I'm trying to prevent a malicious user from e.g. using curl to make an unauthorized POST request. Of course, this is impossible. However, there…

http authorization rest api

asked Feb 08 '17 at 18:25

Miles

501
1
4
6

36

votes

3 answers

Store Auth-Token in Cookie or Header?

I do understand that a header is the "cleaner" solution to transport an auth-token from a trusted system to another in a REST call. But when you are in client-side JavaScript code, the world looks different to me. Cookies can be marked as…

authentication cookies rest api

asked Feb 23 '18 at 06:43

rdmueller

2,413
3
18
17

32

votes

1 answer

How does a refresh token help?

I have a basic doubt or apparently am missing out on something fundamental. When talking about an Android app that talks to the backend using APIs, the access to the resources/APIs are protected using access tokens and refresh tokens (much like…

mobile android oauth authorization api

asked Feb 10 '16 at 06:39

qre0ct

1,492
3
19
30

28

votes

7 answers

How do hackers trick frontend validation?

I've always read: Put validations in the backend. Frontend validations are for UX, not security. This is because bad actors can trick frontend validation. But I'm having a hard time wrapping my head around how a bad actor could trick it. I never…

web-application api cors same-origin-policy

asked Jan 30 '21 at 02:55

Dashiell Rose Bark-Huss

407
1
3
6

24

votes

1 answer

What kind of hashing to use for storing REST API tokens in the database?

We have a REST API that communicates with a mobile front-end. After submitting a one time password, the backend will issue a token (random UUID v4 string) for the mobile app to use as authentication on subsequent requests. The server will store a…

hash session-management rest api sha256

asked Feb 14 '17 at 00:42

maniciam

343
2
4

23

votes

1 answer

How do you pen test a REST API?

We have a server that is running a REST API on port 443. I'd like to make sure it's secure by doing various pen tests on it. I'm used to doing offensive testing on a webpage where I can see code, and URLs, and find forms to test. But I'm completely…

penetration-test rest api

asked Jun 13 '16 at 23:04

MagnificentMaleficent

341
1
2
4

22

votes

8 answers

Protect API from being tampered?

I'm building an API with websocket that serializes data through JSON. The App itself is a chat application. I came up with the following structure to send my data: {date: '2020-05-31', time: '14:28:05', text: "Hey!", to: '', from:…

api rest protection websocket tampering

asked May 31 '20 at 19:35

VladiC4T

379
4
8

20

votes

1 answer

Security Headers for a web API

I just got a setup, a golang web api behind a caddy server that has HTTPS by default via Let's Encrypt, the server proxies all requests to the web api. So I went around to test my webserver "security" on sites such as securityheaders.io. They gave…

proxy api header

asked Jan 07 '17 at 00:05

Whiteclaws

333
1
3
6

20

votes

1 answer

OIDC Flow for SPA and RESTful API

I'm building a Single-Page App (SPA) and a RESTful API. The API needs security - certain users can only make calls to certain endpoints. I have an external Identity Provider (IdP (Okta)) that I want the user to authenticate with using the OpenId…

api openid-connect single-page-app

asked Jul 13 '16 at 04:54

Steve

313
1
2
7

19

votes

2 answers

HTTPS POST request header versus request body

Is there any security difference between placing sensitive data, such as an API key in a POST request header versus the POST request body assuming the API server is HTTPS-only? While you frequently see API keys in the Authorization header or a…

tls http api

asked Aug 26 '15 at 17:37

pxwise

293
1
2
6

19

votes

1 answer

What was the original intent for the feature that StrandHogg uses?

The "Affinity" of Android tasks seems really complex to handle. The StrandHogg vulnerability uses tricks with "Affinity" to render itself inside an another app. The information that I've found this far does not provide exact details of vulnerability…

android vulnerability api design-flaw

asked Dec 04 '19 at 06:47

Mikko Rantalainen

513
2
11

19

votes

1 answer

How does including a magic prefix to a JSON response work to prevent XSSI attacks?

While working on a project that used the REST API for Gerrit Code Review I noticed that they do something that I thought was strange Source: To prevent against Cross Site Script Inclusion (XSSI) attacks, the JSON response body starts with a magic…

api json xssi

asked Jan 13 '16 at 20:57

ecnepsnai

347
2
14

Questions tagged [api]