Reputation: 2587
How to protect an API endpoint for reporting client-side JS errors against spam (if even necessary)?
I am developing a web application with Spring Boot and a React.js SPA, but my question is not specific to those libraries/frameworks, as i assume reporting client-side JS errors to the server (for logging and analyzing) must be a common operation for many modern web applications.
So, suppose we have a JS client application that catches an error and a REST endpoint /errors that takes a JSON object holding the relevant information about what happened. The client app sends the data to the server, it gets stored in a database (or whatever) and everyone's happy, right?
Now I am not, really. Because now I have an open (as in allowing unauthenticated create/write operations) API endpoint everyone with just a little knowledge could easily spam.
I might validate the structure of JSON data the endpoint accepts, but that doesn't really solve the problem.
In questions like "Open REST API attached to a database- what stops a bad actor spamming my db?" or "Secure Rest-Service before user authentification", there are suggestions such as:
- access quotas (but I don't want to save IPs or anything to identify clients)
- Captchas (useless for error reporting, obviously)
- e-mail verification (same, just imagine that)
So my questions are:
- Is there an elegant, commonly used strategy to secure such an endpoint?
- Would a lightweight solution like validating the structure of the data be enough in practice?
- Is all this even necessary? After all I won't advertise my error handling API endpoint with a banner in the app...
Upvotes: 6
Views: 869
Answers (1)
Reputation: 1828
I’ve seen it done three different ways…
Assuming you are using OAuth 2 to secure your API. Stand up two error endpoints.
- For a logged in user, if an errors occurs you would hit the /error endpoint, and would authenticate using the existing user auth token.
- For a visitor, you can expose a /clientError (or named in a way that makes sense to you) endpoint that takes the client_credentials token for the client app.
Secure the /error endpoint using an api key that would be scope for access to the error endpoint only.
- This key would be specific to the client and would be pass in the header.
Use a 3rd party tool such as Raygun.io, or any APM tool, such as New Relic.
Upvotes: 2
Related Questions
- How to protect the frontend from XSS, caused by data from a REST API?
- How to protect a client-facing json api against bot attacks?
- Prevent malicious users from abusing and spamming unauthenticated open APIs
- How to prevent bots from spamming an API trying to hit vulnerable endpoints
- How do I prevent abuse of my api's by 3rd parties in javascript?
- Securing API requests from Javascript
- How to wrap errors from third party api?
- API calls from JavaScript to backend: Ensuring legitimacy without server-side code
- Securing JavaScript API
- Prevent Spam on RESTful JSON Webservice