1

I have api.example.com and example.com. I need example.com could exchange data with api.example.com but I don't want to take some extra security measures. Before now I sent request to api.example.com (axios.get("http://api.example.com")), but there I used JWT tokens. No there is no need in them, how to make secure communication?

Improve this question
4
  • Are you getting error(s) when trying to make a request to api.example.com from example.com ? What do you mean by "there is no need in them" ? No need to use JWT ? Commented Jun 12, 2020 at 1:38
  • What I mean by "No need to use JWT" I use React not so long and apps I've done are crm systems. There I used complex role based access using JWT tokens (Auth0). I had enough security layer. In current project I don't need it. It will be a simple company site written in React. It should communicate to local API, located on the same server (subdomain). And now I have no that security layer (jwt), so I need somehow to make communication secure. Commented Jun 12, 2020 at 1:48
  • So if I understand you correctly, you're looking for an "easier" way to communicate securely between your frontend and backend ? Commented Jun 12, 2020 at 2:05
  • Yes. JWT is overkill. Commented Jun 12, 2020 at 2:09

1 Answer 1

Reset to default
1

You could use a private API key to secure communication. Here's the general approach:

1.Come up with a complicated password, and use a PROVEN hashing algorithm to obfuscate it. This is your API Key.

2.Every request from the front-end to the backend should contain the API key, preferably as part of the Headers under Authorization property, like so: 

Authorization: Apikey TEST_API_KEY

3.Your backend decodes the hashed value with the same hashing algorithm and compares it with the password, if it's not a match, send a 401 status!

Make sure your requests are over HTTPS as that way, the request is encrpyted.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Good approach. I use it too, but not applicable to React... So, as I understand, there are several options. 1. I do not use security measures at all. Assumed that if api exists only to serve public frontend, there is no need to protect it. The only protection I should use is captcha to avoid spamming. But in this case, using postman for example do not protect me. What should I do to restrict spam? 2. I use your option with secret and hash, but algorithm is in js bundle code, which is being send to client, so anyone can see secret code and hashing algorithm. Am I right?
1. If it's a strictly public API and clients will only be making GET requests, you can expose the API without making it secure, provided that you use procedures to limit DDOS attacks (e.g. Limit number of requests per seconds from devices/ip-addresses), but these aren't completely bullet-proof. 2. You don't decode the hash on the client, the client only sends the secret with every request, but yes, the API key is exposed. There are ways to obfuscate your JS bundle, and bundlers like Webpack make it easy, but not bullet-proof.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.