0

Prerequisites:

PHP: 5, Laravel: 5.1, MySQL: innodb 5.6.34.

Problem:

We built a web API with single endpoint "test". Now another endpoint ("health") should be added - this endpoint serves as health indicator for the API: when we call test.api.com/health?, the respective Controller should make direct connection to a DB and send two statuses as response to a user: status of API and status of DB (data is there, DB is live, everything's fine).

Question:

How secure is it to make such a Controller without an authentication middleware? Or in other words: how secure is it to call endpoint which connects to a DB without an api key?

Note, that framework can change in the future - probably to Python's Flask, as well as DB - to PostgreSQL. So even if you don't have expertise in Laravel or MySQL, nevertheless don't hesitate to give your feedback.

halfer
  • 19,824
  • 17
  • 99
  • 186
vlad.rad
  • 1,055
  • 2
  • 10
  • 28
  • 2
    Why would that be a problem? Stackoverflow doesn't require authentication, do you think they aren't making calls to the database? – Devon Bessemer Jul 17 '18 at 15:01
  • The controller is the one making calls to the database, which is your code that no one else should be able to have direct access to. Presumably you've made an informed decision on which information is ok to share with unauthenticated users and you're not sharing anything more. – apokryfos Jul 17 '18 at 15:57
  • Thank you for the comments @apokryfos and Devon - though it is obvious, it wasn't so obvious for me. – vlad.rad Jul 17 '18 at 16:02

1 Answers1

1

You shouldn't have a problem with this. You're not taking in user input so you're not prone to any sql vulnerabilities if that's what you were thinking. You may want to cache the response for a few seconds as to not hammer the database server. Optionally a rate limiter on the API may be a good idea.

Ian
  • 3,539
  • 4
  • 27
  • 48