Public API security question


#1

Hey everyone,

I really love the idea of separating backend from frontend. In my case I’m currently playing around with that topic using nuxt.js for the frontend part and serverless with lambda / API gateway for the backend. But today I came up with a security issue with that kind of architecture and maybe you can help me with that.

When we use this pattern of having a SPA and requesting all information via APIs we should think about securing our endpoint. For private endpoints it’s not that easy but possible. We can’t use a simple API token here because we can’t store that token in a secure way in our SPA (it is executed on the clients machine). But after logging a user in we can use JWT for example and then adding an authorizer to the corresponding lambda function that checks the JWT on each request. As I said, not simple but possible.

But then I came up with public APIs. If we have an eCommerce shop for example. For sure, every visitor is able to see our products without logging in. So the SPA calls a public API endpoint that returns all products. If a visitor now checks the XHR requests they will be able to get the same response using postman for example. So how can we protect it?

On a PHP app we are getting our data and then the page gets rendered. Even if we would use a backend like express here that won’t make a difference, because the visitor can still request data from that endpoint, right? Do you have any idea how we can secure public endpoint from being used by everyone? Sounds weird because that is why they named PUBLIC endpoints, I know.

Thanks!


#2

I’m not really seeing the problem here?

Are you’re suggesting that if you serve the data wrapped in a HTML template then it’s secure but if you send JSON from an API endpoint it’s suddenly not? Give how easy it is to scrape a data driven HTML site precisely because every page is rendered using a template I don’t see the problem.

Your API endpoint has the exact same problems that your PHP page did.

If you need to restrict access to the endpoint then just use an authorizer. You can store a token in local or session storage and automatically include it in the header with your AJAX request. This is no worse than having PHP send cookies back and forth between the client and the server.


#3

I agree buggy. But two things are different here:

  1. Scraping a page (especially SPA) is way more difficult than just calling an API endpoint
  2. You must take care about which data you return. In a normal PHP app the app itself can handle the response server-side and only return data to the view, you want to display.

But yeah, in the end it is similar. And for private routes we can use authorizers. Thanks for clarification.