Reputation: 63
Rest API Security Questions
I am writing a REST API using Express Js and I have some questions regarding security.
My first question is what information can hackers get from a request made from the client side. Can they figure out the request link? What about the body and headers? Is body more secure than parameters/vice versa?
My second question is if I implemented a CORS whitelist that only allowed origins that I wanted to access my API, would that prevent anyone else from hitting the API endpoints? Can people find ways around CORS?
Upvotes: 0
Views: 198
Answers (1)
Reputation: 99687
When a REST api is called from a browser client, everything should be treated as completely open. Anyone can read urls, headers, bodies, etc. There is no reasonable way around this, and you should design your system with this in mind.
CORS does not prevent someone from writing a script to call your API either. CORS does not add security, it takes it away by making it possible to call your API from browser applications on other domains. Not having CORS technically makes it harder to call your API in some contexts, and removes a potential security concern. The S in CORS stands for 'sharing', not 'security'.
Any security you need should be based on the server. For example, if you have data in your API that can only be read 1 user, then the server needs to make sure that a different user cannot read it. To do this, a user needs to authenticate itself.
Upvotes: 1
Related Questions
- server-to-server REST API security
- What are your ways of securing a Express.js REST API?
- How do I secure rest api?
- How to protect REST API with CORS?
- NodeJS/express - security for public API endpoint
- Do I need to use CORS in case of RESTfull API?
- CORS and Access-Control-Allow-Methods in Express.js?
- Internal REST API security
- What clients can / can't access a RESTful web service by default?
- Secure node.js restful API