Often when I write server side rendered webapps, I'll plop a RESTful API in front of the datastore. More often than not it'll live in the same process as my server.I don't really want randos, robots, and other hooligan consumers making calls to my APIs, so I secure them with token auth. By that I mean, to access my APIs from e.g. cURL you would docurl -H "Authorization: Token sometoken1234" http://ift.tt/2EKRQFU server makes calls to the API routes with the token header.Is this worth doing? Does it provide any actual security? Assume I use good practices like TLS, regenerating the API's token regularly, and not storing the token anywhere in plaintext, rather I keep it as an environment variable (those are the only good practices I know). Are there better ways to secure (ostensibly) RESTful endpoints?
Submitted February 06, 2018 at 07:04AM by affinespaces
No comments:
Post a Comment