Timeline for Securing a private API
Current License: CC BY-SA 3.0
Post Revisions
16 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Sep 1, 2016 at 20:42 | vote | accept | Christian | ||
| Sep 1, 2016 at 18:30 | comment | added | Christian | @CortAmmon gotcha, I like your idea of keeping it simple. Honestly there's not really any sensitive information being sent, so I guess like you said worst case scenario is we change the API key. | |
| Sep 1, 2016 at 18:15 | comment | added | Cort Ammon | @Chris Defense in depth is a good idea, but you will want to consider your threat model first. Figure out what kind of attackers you intend to deal with, and what resources they have. For many systems, a sufficient failsafe is "I pull the plug on the servers if something goes wrong, reboot, and then install a new API key on both machines before continuing." Security is a tricky business, and it can pay to keep it simple. | |
| Sep 1, 2016 at 18:01 | comment | added | Christian | @CortAmmon that makes sense. So my number one priority should be keeping the key secure. That being said, shouldn't I also have some failsafes in the event that it does become compromised? | |
| Sep 1, 2016 at 17:47 | comment | added | Cort Ammon | Note: in cryptography, we assume you won't lose your keys. This assumption is so great that when we say "Alice verifies that a message came from Bob," it's actually short hand for "Alice verifies that a message came from someone who knows what Bob knows." If your adversary knows as much as your ally, encryption falls apart and you are now highly dependent on physical security to provide integrity. | |
| S Sep 1, 2016 at 16:39 | history | suggested | Evan | CC BY-SA 3.0 |
Remove thanks (unnecessary), formatting, indicate why the current solution isn't good enough
|
| Sep 1, 2016 at 16:29 | review | Close votes | |||
| Sep 6, 2016 at 3:00 | |||||
| Sep 1, 2016 at 16:06 | comment | added | Christian | @Evan just an API key. Sorry I'm a big of a beginner, could you explain the difference? I know that normally with a public API, each user would be be issued an API key, and the site would have a secret key and both would be authenticated when a request is made, correct? In my application the API is just being used on the back end by the server, so I'm not sure what the difference between the API key and secret would be. Sorry if I totally misunderstood your comment. | |
| Sep 1, 2016 at 16:03 | comment | added | user174739 | @thorstenmüller Limiting by IP does not necessarily prevent a malicious request; an attacker may be able to spoof the address. | |
| Sep 1, 2016 at 15:58 | review | Suggested edits | |||
| S Sep 1, 2016 at 16:39 | |||||
| Sep 1, 2016 at 15:56 | comment | added | Christian | @Evan if my api key becomes compromised then there is effectively no security. | |
| Sep 1, 2016 at 15:53 | comment | added | Luc Franken | For server - server this is a good start. You biggest risk is losing that API key. So make sure your connection is for example over https so it's not easy to be in the middle. Also you need to prevent from losing your key when for example your website gets hacked by a scripting error. If you want to improve this process it seems wiser to start using for example an SSH tunnel / vpn in between them. But I see your biggest risk at this moment that users seem to connect to those servers as well (not to the api but to the server), so there is your biggest attack surface. | |
| Sep 1, 2016 at 15:49 | answer | added | user174739 | timeline score: 2 | |
| Sep 1, 2016 at 15:47 | comment | added | thorsten müller | Are the API requests made server to server or from the browser once the user has loaded the page? If it's server only you could just limit requests to the second server's IP address and be finished with it. | |
| Sep 1, 2016 at 15:29 | review | First posts | |||
| Sep 1, 2016 at 16:04 | |||||
| Sep 1, 2016 at 15:27 | history | asked | Christian | CC BY-SA 3.0 |