is API call in page code secure?
Options
James Cowen
Member ✭
Hi
Xano noob here.
I'm doing a GET request in Webflow to my Xano DB as per one of Prakash's great video tutes.
I'm not using any Xano Auth as users can only access the page in question if they login via my Memberstack integration with Webflow.
Do I need any other security on the API calls/endpoints that are in my page source code with the above setup?
Cheers
~James
Xano noob here.
I'm doing a GET request in Webflow to my Xano DB as per one of Prakash's great video tutes.
I'm not using any Xano Auth as users can only access the page in question if they login via my Memberstack integration with Webflow.
Do I need any other security on the API calls/endpoints that are in my page source code with the above setup?
Cheers
~James
Comments
-
Hey James,
I've pondered this too.
If you want to lock your endpoints down, one way is to use a header variable in your calls, and set a precondition at the top of your Xano endpoint logic stack to check for that. And set the variable in your environmental variable, so that if you need to change it, you don' have to revisit every endpoint. -
interesting approach. thanks for that Brett. I'll have a play. cheers!
-
great question
Anything that is static in the page can be seen with developer tools and then used to run elsewhere. This is the same problem that google maps has. They give you an API key but it is static in the html/javascript.
This key tends to be transferred as a header, which is always a good choice. However, that doesn't mean it is secure because it can still be observed with developer tools. It is still way better than no public API key, so definitely the right approach to get started securing your public API as much as you can.
This means that you should assume your public API is never fully secure... but you can make it something that someone wouldn't want to use in a professional manner.
The way to do this would be to add Referer whitelisting to the API along with the public api key.
Some browsers send an http header labeled as Referer. This is an optional header so it isn't guaranteed. Also some security software suites mask it, so it can't be relied on to always be there. That being said, it can definitely be relied on for some users, which is all you care about. By using this, it would prevent another company from stealing your API for themselves, because it would not be reliable for their users and give them a terrible experience. Some users could use it - some wouldn't. Enough people would get angry and stop being a customer. Assuming the business cares about its customer base, it would make sense that they would try something else instead of using your API in an unreliable manner. -
Mind blown thanks
Categories
- All Categories
- 53 ? Announcements
- 47 ? Releases
- 37 ? Welcome
- 983 ? Help! I'm a Noob
- 125 ? No-Code Front-Ends
- 633 ? Working with APIs
- 439 ? Transforming data
- 126 ? Connect Xano to ...
- 50 ?? Find an Expert
- 348 ❓Other questions
- 35 ? Security
- 22 ✂️ Snippets
- 19 ? Showcase
- 7 ?️ Xano Chatter
- 62 ? Video Tutorials
- 171 ? Request a feature
- 229 ? Report a Bug
- 19 ? Templates & Extensions
- 7 ? Feedback