0

I am building an application that stores form entries. It will accept post requests from a client web application and store the information as defined in the request. For example, frontend.com makes a request to backend.com/form-entries/create. My question is what's the best practice for securing backend.com so that it only accepts requests from authorized clients? We can assume that backend.com will only serve a handful of front-end clients that are owned by me.

It seems to me that the most simple and secure way of doing this would be to assert that incoming requests be from authorized domains, such as frontend.com. These authorized domains could be stored in the database. Am I correct in this thinking?

LeviJames
  • 1
  • This question is seems pretty broad, but I’d like to address an assumption. You can not verify with confidence the domain from which the request originated. Why? Because an attacker might not even use a browser if it suits them to try to spoof a request from your front end. What you need is authentication, or at the very least sessions. https://www.owasp.org/index.php/Authentication_Cheat_Sheet – nbering Jan 29 '19 at 15:34
  • Thanks for making me aware of the assumption that I was making. I looked into the OAuth2 grant types, and it looks like the Client-Credentials Grant could be a candidate for this use case. I was worried about sending sensitive information in a POST request to the authorization server. Can I assume that this information will be protected as long as I'm using SSL? – LeviJames Jan 29 '19 at 16:01
  • Yes, the purpose of SSL/TLS is to protect the data in transit between the browser and web server. There are attacks that can be made against TLS, but for the purposes of this question you can assume it’s safe. – nbering Jan 29 '19 at 20:26

0 Answers0