Highest Voted 'api' Questions - IT Security Stack Exchange

23

votes

3 answers

What stops a malicious user from hitting an endpoint with falsified data from the console of a webpage?

I'm a little bit of an amateur on API security. I'm building a browser-based puzzle with a leaderboard, and I'm wondering what prevents a user from simply hitting the /success endpoint with data that basically equates to { time: '3s' } automatically…

api

asked Mar 01 '24 at 06:17

temporary_user_name

812
1
9
17

9

votes

1 answer

What is the purpose of an API Token and an API Secret?

So if a user authenticates to the site using a username/pw, they get a session token which is passed back to the server to validate who they are. However when you use an API like twitter or 4square, you have both a token and a secret. What extra…

api

asked Feb 09 '16 at 21:49

boatcoder

345
2
8

4

votes

1 answer

How to protect API from from malicious usage

We are developing a community portal service using Java-Spring and Angular UI. We are also going to have an Android app soon. Our back-end exposes many services via REST API. There are couple of services which allows anonymous posting and creating…

api

asked Jul 28 '16 at 13:49

navaltiger

141
1

2

votes

2 answers

What are the risks of having an unsecured api, if there's nothing sensitive in the database?

I understand that the answer is probably that ideally, I would just have a secured api, but I want to understand the threats that exist as well as the defenses. And all of the articles I've read focus primarily on "they could come in and take your…

api

asked Dec 02 '20 at 02:21

one_observation

123
3

2

votes

2 answers

Security concerns related to API Key in Website

I want to make a weather-forecast website and was planning to make AJAX requests to the openweathermap API to load the weather data. However, I am uncertain on how to properly use the API key. I was going to include the key in a JS script, but I am…

api

asked Mar 08 '18 at 21:10

Sebastian Hietsch

145
1
5

1

vote

1 answer

API's Security for API which are opened to Non-Logged in Users

We have a website and for which we have backend APIs. Now the issue is majority of our APIs are opened for non-logged in user(Functional Requirement). Now what we want is to secure those APIs in terms that no one you should start crawling and get…

api

asked Sep 02 '20 at 06:18

Ankit Bansal

157
1
10

1

vote

0 answers

Are there any flaws with allowing SQL queries as part of an API to fetch data?

We're working on an API to allow clients access to bits of data from a series of tables. We've come up with a JSON based API which works well but it could definitely be improved upon. It has come to a point where we want to update the API to make…

api

asked Feb 25 '19 at 13:35

Script47

227
1
12

1

vote

1 answer

What methods can I use to prevent a public API's limit bypass?

So let's say that after 50 requests in a period of 30 seconds, a user's IP gets blacklisted. They can still bypass this block by changing their IP, which is quite easy and fast nowadays. So, what other methods could I use to prevent my public API's…

api

asked Oct 30 '18 at 14:44

Gustavo

11
1

1

vote

2 answers

How does IP whitelisting help secure an API?

I'm trying to get a better understanding of the extent that IP whitelisting helps to prevent attacks against an API. At the moment I'm thinking of a B2B scenario where organisation A provides an API and organisation B consumes the API. If the…

api

asked Aug 24 '18 at 02:09

user1605665

183
1
6

1

vote

0 answers

How to secure API from spams & crawling

I am working on mobile app and its API which uses a private token for every user for authentication. I want to make sure that no one will misuse the API to crawl my data or to spam my database. Even if I won't publish their posts until they get…

api

asked Apr 10 '18 at 11:55

Morad Edwar

111
2

1

vote

0 answers

What are the risks of making API public, and how to avoid them?

Let's say I'm running a website and it has API used by other client (Android app, etc.). If I open the API and document, anyone can use the API to create the client apps for my website. But is it dangerous for my website or the data of the site…

api

asked Mar 11 '17 at 18:43

Perqin

111
1

1

vote

2 answers

Making an API safe and secure

So I have a a website. Now I'm making an App for it. In the app I need to sign the user in. So I'm making an API for it. The problem is, once I make this API. How will I be able to test for robots and what have you? example. on my website I have…

api

asked Oct 06 '16 at 17:31

Trevor Wood

533
1
4
11

0

votes

1 answer

Validating Personal Access Token

I want to implement PATs for an API I am creating and want to know if there are any security issues and might be a better way. User requests token, names it, and gives it permissions Token is generated on the server and returned for one-time…

api

asked May 05 '23 at 14:58

Jason Goemaat

592
3
7

0

votes

1 answer

How long should a password be for securing api on internet

I have to create an API that it only allowed to be consumed by one third party company we are working with. Unfortunately, the API has to be connected to the internet. For authentication, the other company is going to pass a password in each request…

api

asked Jul 08 '21 at 07:13

Weare Mwam

45
6

0

votes

1 answer

API Security(APIs to be exposed to a specific client)

We have microservice-based architecture. Currently, we have APIs which we have exposed over the internet for all users. Now we want to provide APIs to a specific client and only this specific client should be able to access this API. What security…

api

asked Jan 21 '21 at 18:15

Ankit Bansal

157
1
10

Questions tagged [api]