0

I am used to using Blazor server-side, where (basically) all the action happens on the server, so you don't need to expose APIs that need securing.

I'm now exploring client-side Blazor (ie WASM), and am looking at using minimal APIs to provide the data, secured by bearer token auth. We use this approach elsewhere in the solution for communication from our mobile apps and it seems to work fine.

However, the WASM runs in the browser, which makes it very easy to see any network calls made, you just open the browser's dev tools and there they are. The problem is that the auth header is in full view, making the auth redundant, as anyone can see the token and the endpoint being called, and access the API from their own code.

So, is there a way to prevent this? We want the WASM to be able to call the API, but not expose the credentials for any casual observer to see.

DreamingOfSleep
  • 1,208
  • 1
  • 11
  • 23
  • 1
    if you are talking about an API key, that can't be protected but you can white-list certain IPs. If this is user authentication, it's OK if the user can see their own requests... as long as https is in place and everything's secure from XSS, CSRF, etc... keep everything same-domain, if you store tokens in the browser use same-site, secure, http-only cookies... don't use GETs for state-changing requests. – pcalkins Aug 29 '23 at 20:45
  • we do be able to see credentials in the browser, but when we see the credentials, it means we already got authenticated, so the user should be legal. If this user copied the credential and do some other things, or some other users worked on that computer and do some other things, that's user-action and we are not able to control. By the way, credentials will expire after a period of time. – Tiny Wang Aug 30 '23 at 02:53

0 Answers0