Hello there,
is it possible to set up the api endpoints, so that you can only access them via the front end and not from external sources. or is this already the standard setting?
@Marcel
We have a number of technologies to protect your API.
Endpoint Protection (ECDSA signatures)
When you enable it in endpoint properties, for each endpoint call will be generated unique signature that validates that request came from your web or mobile application. Also for every reply from server frontend will check server signature as well. It works in endpoints regardless of authentication. While it is not guarantee 100% protection, it makes calling your API extremely difficult. Once enabled, you will not be able to test your API with swagger or postman. To confirm that it’s working check request headers (x-client-sign, x-server-sign) and try to call api from postman.
Payload encryption
When this option is enabled, every request and response payload will be encrypted with AES, conform with Perfect Forward Secrecy and ECDH key exchange. The best practice is to use ecryption only on endpoints that used for sensitive information like sign-in, password reset, various tokens and personal information exchange. For every API call it will make 2 requests increasing traffic and potentially adding slight delays. Don’t overuse.
Authenticated signatures and secure auth token storage
We support enhanced mode for storing user credentials client side and it introduces additional signatures to requests (x-auth-sign). In your web and mobile apps generate Session Key every time before authentication and send public keys along with creds (login/pass/social auth code & etc). Once server with authenticate your user, it will expect x-auth-sigh in every authenticated API call. It greatly increases security of user sessions and API calls, almost impossible to steal user session from device.
The best practice is to use all those features together, it will protect your app and it will me more secure than 99% of all apps.
1 Like