2

I am currently implementing a Facebook Chat Extension which basically is just a web page displayed in a browser provided by the Facebook Messenger app. This web page communicates with a corporate backend over a REST API (implemented with Python/Flask). Communication is done via HTTPS.

My question: How to secure the communication the Web page and the backend in the sense that the backend cannot be accessed by any clients that we do not control?

I am new to the topic, and would like to avoid making beginners' mistakes or add too complicated protocols to our tech stack.

Improve this question
2
  • Is your goal to prevent someone else, who figures out your web page URL, to call it from another browser OR is the goal increase the effort to make the same and be successful? Commented Jan 17, 2018 at 21:20
  • The former: I want to prevent anyone but the Website to access the REST API. Commented Jan 17, 2018 at 21:22

2 Answers 2

Reset to default
1

Short answer: You cant. Everything can be faked by i.e. curl and some scripting.

Slightly longer: You can make it harder. Non browser clients have to implement everything you do to authenticate your app (like client side certificates and Signet requests) forcing them to reverse engineer every obfuscation you do.

The low hanging fruit is to use CORS and set the Access Allow Origin Header to your domain. Browsers will respect your setting and wont allow requests to your api (they do an options request to determine that.)

But then again a non official client could just use a proxy.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Off the top of my head, I could think of an approach where the server of the Website creates an id that the Website needs to include in an API request. And I could think of the API to only answer to whitelisted IP addresses. But I am no expert and these are just naive ideas. I hope that there is more than "you can't" to this question.
0

You can't be 100% sure that the given header data from the client is true. It's more about honesty and less about security. ("It's a feature - not a bug.")

Rather think about what could happen if someone uses your API in a malicious way (DDoS or data leak)? And how would he use it? There are probably patterns to recognize an attacker (like an unusual amount of requests).

After you analyzed this situation, you can find more information here about the right approach to secure your API: https://www.incapsula.com/blog/best-practices-for-securing-your-api.html

Improve this answer

1 Comment

Amazon tries to solve a similar problem (not the same, but maybe you can use the techniques): docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.