Stack Overflow
Stack Overflow

Questions tagged [api-security]

39 questions
0
votes
1 answer

Multiple HTTPS security schemes for different endpoints in the same API?

Is it possible to have a API (HTTPS), which has some endpoints (test_1, test_2) with different HTTP methods (test_1-GET,POST) while GET and POST are having different HTTPS security features. (like different cipher suites, different certificates) I…
Janith Priyankara
  • 73
  • 5
0
votes
0 answers

Confirm API is called by known application

The following sequence diagram is the most simplified version of my application's sequence diagram. The API calls below are all HTTP requests. I want to send a secure code grant to App_B when App_A_Client calls App_B_endpoint/GetData(). App_B would…
david
  • 95
  • 1
  • 17
0
votes
0 answers

How to prevent client-side scripts from altering API requests before they are sent from the browser?

I'm not sure if this is even a valid question but I want to know how it works on websites where you might purchase something. Ex: I'm on Amazon - I decide I want to buy a watch. I add it to my cart and I go to click "buy". As I do that - some…
alex
  • 1,905
  • 26
  • 51
0
votes
0 answers

How to allow unauthorized users to use the API only if they make a request to it from a whitelisted sites

I have a REST API created with Express. One of my API's endpoint is available to all unauthorized users. My goal is to allow unauthorized users to use this endpoint only if they make a request to it from my site, which is hosted on a different…
Oleksandr
  • 88
  • 5
0
votes
2 answers

Server / X-Powered-By headers not available in runtime

The "Server" and "X-Powered-By" headers are not present in the API response during runtime (or debugging) but appearing only on Postman / browser. My objective is to remove to Server/powered-by headers but they are not available during runtime for…
sprash95
  • 137
  • 9
0
votes
0 answers

How to protect my RESR Api calls in Flutter?

I am developing an app in flutter which will have in app purchases. I am keeping track of user credits and some other things on my node server. I am concerned that if I call my node api to increase user credits in my app code, it can be accessed by…
Hamza Ahmed
  • 21
  • 3
0
votes
1 answer

SubscriptionKeyInvalid in Azure API Management for an endpoint in a product that does not require subscription?

I have a very strange issue with Azure API Management, that I don't seem to figure out... We have an API operation that is part of an APIM API that is linked with a Product that does not require a subscription. The intention is that this API…
Sam Vanhoutte
  • 3,247
  • 27
  • 48
0
votes
0 answers

Hide Server Banner - Empty or Some Name without construct information?

We often hide the ServerName / ServerSignature in the httpd.conf configuring to prevent server banner attack. Should we keep it empty or displaying some name that doesn't give information about the server configuration? Example: Server: ZGS This…
Milind Deore
  • 2,887
  • 5
  • 25
  • 40
0
votes
1 answer

How to encrypt and decrypt all API trequest and response in SAP hybris?

I have a security requirement that all the data flows through API should be encrypted. I don't see any OOTB implementation. So I have thought about having a filter to decrypt and a custom sanitizer to encrypt sounded like a plan but are there any…
pradeep murugan
  • 531
  • 1
  • 9
  • 18
0
votes
1 answer

Stripe Data Security

I am currently implementing Stripe in my project and I am facing a big doubt about the data I send to front-end. Is it secure if I send the payment_method_id for example to front-side or if I expose the subscription_id or invoice_id? Is there any…
john bowlee
  • 125
  • 1
  • 11
0
votes
2 answers

Should rest APIs with insensitive data be protected

So I have a restful API that is responsible for handling the licenses for my app, it records User ID User email Username license expiry date Currently what happens is the user authenticate via a third party auth service (firebase) then the app…
Ahmed Fawzy
  • 309
  • 2
  • 8
0
votes
1 answer

What is the best approach to stop your platform's users to "sniff" the frontend requests to backend and modify them?

So I have a platform that works like this: Users can create accounts by logging in with their Google (I USE AUTH0) and then they can create "Projects" which contain lots of other unimportant stuff regarding my current problem (like todo lists,…
Alec
  • 73
  • 2
  • 7
0
votes
1 answer

How to use Azure AD to secure an API that needs to be accessed by a 3rd party application?

We are running an API that is configured for and secured by Azure AD. This is working for us with an Angular app where users login interactively. Now we have a need for a partner firm to use the API in a system to system way (no user login). What…
DGilmour
  • 1
0
votes
0 answers

Best practices to follow when building API service to be used by customers

Throughout my career, I've relied on and used various API services in my project. I saw multiple mechanisms of how these APIs are secured, but most common one seems to be via API Keys. I am now planning to build out my own API service and being…
Ilja
  • 44,142
  • 92
  • 275
  • 498
0
votes
0 answers

Rest API authorization in microservice when you have 1000's of APIs

We are developing back-office user application with lots of screens which interacting with lots of REST API's. In OAUTH, most of the tutorials are showing how to authorize an API by getting details from jwt and use it check whether to allow or…
nani21984
  • 911
  • 2
  • 13
  • 21
1
2
3