I'm building a web application wherein users CRUD their own private data.
- Can I safely expose API endpoints?
Despite years in-industry and endless web-research, I'm not clear on the best architecture and how to most efficiently ensure security of the user data. The most basic requirements include: user authorization, view/add/update your own data. I already wrote a version 1 of the app and would like develop a version 2 from scratch. Exposing API endpoints could help isolate my front-end and back-end development. Is security still possible if I want a pure js front-end app?
1 Answer 1
I'm not sure if you're asking about securing every single point of your API, but what I would do is I would use a reverse-proxy (for example, Nginx) with TLS-encryption that could cover both your front-end and back-end servers. This way you know your users data is not compromised before it reaches the API.
The next thing is user authentication & authorization. There are many production ready identity packages ready for most platforms (do not implement your own if you're not sure what you're doing, and even then it might be a good idea to pick one that has been around for a while). But the basics are that you authenticate your user against your database, give the user a token of some sort and have the user use that token to do subsequent requests. And because your API is encrypted (everything but the base address is encrypted until a message hits your server), you can send this token to your user without fear. A very common place to carry the token is to use 'Authorization' HTTP header.
Explore related questions
See similar questions with these tags.