as I understand, API key's are typically used for 3rd party access, but does it make sense to use one in order to verify it's my frontend talking to the api? I want to secure my API as best as it can be, so any other ideas for improving its security would be great
Asked
Active
Viewed 192 times
0
-
1Define "secure". If anyone can go to your website and that website will talk to your API, whether using a key or not, then the user didn't need to authenticate in any way and the access is anonymous for all intents and purposes. The key necessary to access your API is public knowledge. That might make it ever so slightly less convenient to access the API directly, but anyone who wants to still can. – deceze Sep 11 '20 at 11:51
-
that's a good point. so in theory, if I could guess some companies internal api, I could submit a post request to their contact form endpoint, and it would be expected to go through? just seems odd for it to be open and accessible like that, even if theres no real security risk – b00n. Sep 11 '20 at 12:00
-
Consider what happens when you use server-side rendering, instead of a Javascript website that fetches data via an API. Then your server would divulge and accept the exact same data, simply wrapped in HTML instead of JSON. It doesn't make any fundamental difference. – deceze Sep 11 '20 at 12:02
-
cool, makes sense. thanks for your help – b00n. Sep 11 '20 at 13:31
1 Answers
0
An api key , with internal use have sense, out of the security scope.
Exemple : you have a web front end and an app (ios) , you could identify different type of REST client. You could add rate limitation by type of client.
First check to secure your API is probably "Do you use HTTPS" ?
see also : djangorestframework-api-key and : When and why api key by google
jmny
- 308
- 2
- 17