Reputation: 176
How to secure GET request when queried in a browser tab
I am currently assigned in developing stock market data API with security in top of all. I was able to secure incoming GET requests using JWT, API keys,middleware auths.
Let's say when the user is not logged in, as we all know, all http methods esp GET are responding with http status 401 unauthorized access.
My problem is when the user is logged in in our app, the API requests can be now queried successfully (server to server) but when I copy the request link to the browser new tab (say chrome), I can see the reply. It is expected since the user is logged in but I want that the request response will not be seen in the browser. Other competitors of ours use POST to counter the browser GET default.
Should we move to POST? Im struggling since GET is the proper http method for requesting stuffs.
Upvotes: 1
Views: 512
Answers (2)
Reputation: 2205
For private stuff like stock market data, My first choice would have been a post request.
I had once blocked GET API request from browsers by detecting a browser, based on stuff like having a useragent string, and custom head metadata, but based on experience, it isn't a perfect solution.
Another trick I had used in past was using a simple encryption algorithm,(it wasn't secure but was fast. It was merely a distraction ) to encrypt values. So if someone did extract the json response, the data would be garbage, unless decrypted with key, which could be jwt token in your case.
Again, These tricks will do nothing for security against highly technical person, but will be enough of a distraction to regular to average reverse engg tricks. Also disclaimer, I never used GET for anything important as financial and stocks related information. My rule was GET for normal filler stuff, and POST for important stuff.
Upvotes: 1
Reputation: 11916
It's a good idea to move to POST if you want to hide the output in the browser window. As with GET, the browser will always show the output directly.
However, please note that if anyone want to see the API response, they can still simulate the API calls using JS and see the response in their browser console, or use a client like Postman to get the response. If they have proper tokens, they can always inspect your response, there's no way around it.
I believe it's working in the new tab as well because the user is logged in and the JWT token is stored in cookie / localstorage / in a way that is accessible from new tabs. And your server is also being able to access that.
If you send the token using a JS application (React may be?) and tweak your server to accept the token through a request header every time, in that case, just opening that url will no longer work because it will have the token missing in request header.
Upvotes: 0
Related Questions
- Prevent key leak in HTTP GET requests
- How to add URL query parameters to HTTP GET request?
- Send unencoded GET requests in Go
- Mask sensitive url query params
- How to use jQuery GET on HTTP (non-secure) server?
- How to avoid some sites rejecting HTTP get using go
- Sending sensitive data as a query string parameter
- Passing GET variables over SSL = secured?
- Securing GET call
- HTTP 'Get' Security