All geek questions in one place

NodeJS / express - security for a public API endpoint

I am developing a website project based on NodeJs / Express, and for some parts of the user interface I use jQuery ajax to get secondary data.

How can we handle some basic control of our Rest API endpoints, which are used for ajax calls by the browser? I thought about some kind of authorization of tokens, but other clients (scripts, etc.) can also use it after intercepting it, so how can we protect our server from unwanted requests? What other controls should be used in these cases (recognize too many requests from the same client, blacklisted clients, etc.)?

+4
source share
2 answers

There are three main topics: Authentication, Authorization, Security. I will give links and only short answers. The topic is large enough to write several books.

Authentication is whoever makes the request. There are many “strategies” for user authentication. Please check most modular modules for this: http://passportjs.org/docs .

Of course, you can implement one or more of these strategies.

jwt- . ( ), ( ) https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens.

? https .

? https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ , - - XSS. cookie, , ( ), , .

: , . https://github.com/OptimalBits/node_acl node_acl : https://gist.github.com/danwit/e0a7c5ad57c9ce5659d2 . . . . .

: http://sailsjs.org/documentation/concepts/security, . :

DDOS: ( " " ) " API ". . . IP ( ), ( https://www.npmjs.com/package/delayed-request, , ).

CSRF: " , -". https://www.npmjs.com/package/csrf

XSS: " , JavaScript ", . , , . https://www.npmjs.com/package/xss

, .

+9

- + (http://passportjs.org/) , -, REST-apis. ... , API, . , .

DoS- , ( node.js express) . - , , DoS-, (. https://en.wikipedia.org/wiki/Denial-of-service_attack#Defense_techniques), , // ... .

0

Source: https://habr.com/ru/post/1609117/

More articles:


All Articles