Questions tagged [api]

Application Programming Interface; a set of routines, protocols, tools or endpoints used in software development.

480 questions
142
votes
24 answers

Why can't I just let customers connect directly to my database?

I'm pretty sure this is a stupid idea but I'd like to know why, so bear with me for a moment. Lots of the work backend developers do is providing CRUD access to customers via HTTP, essentially mapping data from and to the internal database.…
Moritz Friedrich
  • 1,455
  • 2
  • 10
  • 10
62
votes
7 answers

Is exposing the server time a security risk?

If I create a servlet that would return the server time publicly (no need for authentication), would this be a security issue? I couldn't think of any issue with this, but somehow something tells me I could be wrong. To explain more, this end-point…
Manny
  • 651
  • 1
  • 5
  • 7
52
votes
2 answers

What is PKCE actually protecting?

I'm trying to get my head around how PKCE works in a mobile app and there's something I don't quite understand. So from what I can gather the client app creates a random cryptographically secure string known as the code-verifier. This is then…
TommyBs
  • 657
  • 1
  • 5
  • 7
39
votes
11 answers

Returning the wrong HTTP response code on purpose?

I'm writing a simple REST API, and I want to restrict access to my mobile-client only. In other words, I'm trying to prevent a malicious user from e.g. using curl to make an unauthorized POST request. Of course, this is impossible. However, there…
Miles
  • 501
  • 1
  • 4
  • 6
36
votes
3 answers

Store Auth-Token in Cookie or Header?

I do understand that a header is the "cleaner" solution to transport an auth-token from a trusted system to another in a REST call. But when you are in client-side JavaScript code, the world looks different to me. Cookies can be marked as…
rdmueller
  • 2,413
  • 3
  • 18
  • 17
32
votes
1 answer

How does a refresh token help?

I have a basic doubt or apparently am missing out on something fundamental. When talking about an Android app that talks to the backend using APIs, the access to the resources/APIs are protected using access tokens and refresh tokens (much like…
qre0ct
  • 1,492
  • 3
  • 19
  • 30
28
votes
7 answers

How do hackers trick frontend validation?

I've always read: Put validations in the backend. Frontend validations are for UX, not security. This is because bad actors can trick frontend validation. But I'm having a hard time wrapping my head around how a bad actor could trick it. I never…
24
votes
1 answer

What kind of hashing to use for storing REST API tokens in the database?

We have a REST API that communicates with a mobile front-end. After submitting a one time password, the backend will issue a token (random UUID v4 string) for the mobile app to use as authentication on subsequent requests. The server will store a…
maniciam
  • 343
  • 2
  • 4
23
votes
1 answer

How do you pen test a REST API?

We have a server that is running a REST API on port 443. I'd like to make sure it's secure by doing various pen tests on it. I'm used to doing offensive testing on a webpage where I can see code, and URLs, and find forms to test. But I'm completely…
22
votes
8 answers

Protect API from being tampered?

I'm building an API with websocket that serializes data through JSON. The App itself is a chat application. I came up with the following structure to send my data: {date: '2020-05-31', time: '14:28:05', text: "Hey!", to: '', from:…
VladiC4T
  • 379
  • 4
  • 8
20
votes
1 answer

Security Headers for a web API

I just got a setup, a golang web api behind a caddy server that has HTTPS by default via Let's Encrypt, the server proxies all requests to the web api. So I went around to test my webserver "security" on sites such as securityheaders.io. They gave…
Whiteclaws
  • 333
  • 1
  • 3
  • 6
20
votes
1 answer

OIDC Flow for SPA and RESTful API

I'm building a Single-Page App (SPA) and a RESTful API. The API needs security - certain users can only make calls to certain endpoints. I have an external Identity Provider (IdP (Okta)) that I want the user to authenticate with using the OpenId…
Steve
  • 313
  • 1
  • 2
  • 7
19
votes
2 answers

HTTPS POST request header versus request body

Is there any security difference between placing sensitive data, such as an API key in a POST request header versus the POST request body assuming the API server is HTTPS-only? While you frequently see API keys in the Authorization header or a…
pxwise
  • 293
  • 1
  • 2
  • 6
19
votes
1 answer

What was the original intent for the feature that StrandHogg uses?

The "Affinity" of Android tasks seems really complex to handle. The StrandHogg vulnerability uses tricks with "Affinity" to render itself inside an another app. The information that I've found this far does not provide exact details of vulnerability…
19
votes
1 answer

How does including a magic prefix to a JSON response work to prevent XSSI attacks?

While working on a project that used the REST API for Gerrit Code Review I noticed that they do something that I thought was strange Source: To prevent against Cross Site Script Inclusion (XSSI) attacks, the JSON response body starts with a magic…
ecnepsnai
  • 347
  • 2
  • 14
1
2 3
31 32