Protecting API Route
Answered
American Crocodile posted this in #help-forum
American CrocodileOP
Hey, im currently having trouble to secure or protecting my api route, my first idea to protect it just like the image, but im realize this is useless, people can open they console web and see the key, what else i can do to make some authorization.
I cant use next-auth because this form is meant to be public from, like guests or not login member perform order
I cant use next-auth because this form is meant to be public from, like guests or not login member perform order
Answered by B33fb0n3
when your route is public, you can add a public api key, that the user (client) somehow receives when using your page. This api key can then be verified by your server. Keep in mind: the public api key is shared with the client so it can be published and there can still abuse of your functions.
Some things you might want to consider are ratelimiting by ip. Another thing you might want to think of is by using CORS to only allow requests from a specific origin. That's just a basic protection and you should add an additional layer of security on the network level to prevent unwanted access
Some things you might want to consider are ratelimiting by ip. Another thing you might want to think of is by using CORS to only allow requests from a specific origin. That's just a basic protection and you should add an additional layer of security on the network level to prevent unwanted access
7 Replies
@American Crocodile Hey, im currently having trouble to secure or protecting my api route, my first idea to protect it just like the image, but im realize this is useless, people can open they console web and see the key, what else i can do to make some authorization.
I cant use next-auth because this form is meant to be public from, like guests or not login member perform order
Did I understand you right: it's a public route, but you still want to protect it?
@B33fb0n3 Did I understand you right: it's a public route, but you still want to protect it?
American CrocodileOP
Idk how to explain it, but the goal is to store a some data into my database by using API, in order to make not anyone can just make a request to the endpoint and store store by itself without my page form, i need some kinda protection
@American Crocodile Idk how to explain it, but the goal is to store a some data into my database by using API, in order to make not anyone can just make a request to the endpoint and store store by itself without my page form, i need some kinda protection
when your route is public, you can add a public api key, that the user (client) somehow receives when using your page. This api key can then be verified by your server. Keep in mind: the public api key is shared with the client so it can be published and there can still abuse of your functions.
Some things you might want to consider are ratelimiting by ip. Another thing you might want to think of is by using CORS to only allow requests from a specific origin. That's just a basic protection and you should add an additional layer of security on the network level to prevent unwanted access
Some things you might want to consider are ratelimiting by ip. Another thing you might want to think of is by using CORS to only allow requests from a specific origin. That's just a basic protection and you should add an additional layer of security on the network level to prevent unwanted access
Answer
happy to help
American CrocodileOP
I found this, do you think this could help solutions?
https://vercel.com/docs/security/secure-backend-access/oidc/api
https://vercel.com/docs/security/secure-backend-access/oidc/api
@American Crocodile I found this, do you think this could help solutions?
https://vercel.com/docs/security/secure-backend-access/oidc/api
it's also a possible way to secure your backend