0

At the moment I am working on a CRUD app that I am going to deploy (someday) and use for my own startup company. However I am nowhere near finishing this product and I stumbled upon a question that I can't seem to figure out.

I am using Express to serve angular the data out of my MySQL database. To do this I had to create '/api/' routes. However if I go (for example) to '/api/clients' I will be able to see the entire list of clients in an ugly array. In this case that does not really matter since it's just the data they were able to see anyways.

However my question is, is it important to block these kind of routes from users? Will problems arise when a user goes to 'api/createClient'? Could this result in a DB injection that could ruin my db?

My project can be found here: https://github.com/mickvanhulst/BeheerdersOmgevingSA

  • The server-side routing code can be found: server > Dao > clientDao.js
  • Controllers, HTML & client-side routing can be found in the 'public' folder.

I hope my question is clear enough and someone will be able to answer my question. If not, please state why the question is not clear and I will try to clarify.

Thanks!

Mick
  • 324
  • 4
  • 14

1 Answers1

1

Looking at the code, it looks like your URLs can directly be accessed using browser and if yes, then this does pose a security concern.

Doing DB transaction with the user provided fields or values is major security concern, if these data are not validated and sanitised before making a database call.

I would recommend following minimum steps to follow before crafting APIs which is internal but can be accessed using browser -

  1. If this is internal, then do not provide HEADER ACCESS CONTROL from the server or keep it confined only to your domain name. This prevents any ajax call to be made to your APIs from another domains.

  2. Do sanitise and validate all the data thoroughly before doing any kind of database transactions. There are lots of material on this everywhere on how to do it.

  3. If these APIs are meant to be used for internal purpose, then kindly provide some kind of authentication to your APIs before doing the logical work in your routes with the help of middle-wares. You can leverage cookie authentication for very simple API authentication management. You can also use JSON Web Tokens, if you want a more levels of security.

If you are manipulating your databases then I would highly recommend to use some kind of authentication in your APIs. Ofcourse, point number 2 is must.

Chandan
  • 1,128
  • 9
  • 11
  • Thank you for your answer! The naive me was hoping there would be a simple answer to just block all user requests to api but that would result in me not being able to display any data from the database. Can I conclude out of your answer that my best way is to go is to verify the incoming data (towards my DB)? I do not fully understand your 3rd point as I am not that familiar with security yet. – Mick Nov 27 '15 at 10:19
  • Since you will be inserting the data in to database, i would recommend above steps... – Chandan Nov 27 '15 at 10:21