Level 104
The endpoint I want to protect is public access, it does not require user authentication.
A public API is public - a CSRF token is not the solution; properly implementing API token authentication is your best approach
Jan 20, 2023
6
Level 1
Protect api endpoint
Hello guys, I created an api, but a competitor website steals the content of my api.
How can I protect the links so they can't access from another server?
The endpoint I want to protect is public access, it does not require user authentication.
I have tried making the endpoint POST so that the CSRF protection can protect the endpoint, but the site that steals my content manages without problem to overcome the protection of the CSRF token (looking for tutorials on how to hack the CSRF token I saw that it is not very complicated).
If I use some kind of token or bearer and it is sent by headers it is useless because it is easy to identify and reuse the data to make requests and steal my content.
Any ideas/suggestions on how to protect my routes?
Level 70
⚠️ First of all it's always a good idea to make your content protected if you don't want it accessible publicly.
There are a few ways to protect your API endpoints from unauthorized access:
API Key: You can use API keys to restrict access to your API endpoints. This method allows you to track and limit the usage of your API. You can also revoke access to specific keys if you suspect they are being used by unauthorized parties.
Basic Authentication: You can use basic authentication to restrict access to your endpoint. This requires a username and password to be sent with each request. This method is still vulnerable to attacks like brute-force attacks.
OAuth 2.0 or JWT token-based authentication: This is a more secure way of protecting your API endpoints. The client needs to provide a valid token with each request, which can be verified on the server side. This method is more secure than the previous two methods, but it still requires the client to have the token.
IP Whitelisting: You can restrict access to your API endpoint to a specific set of IP addresses. This way, only requests coming from those IPs will be able to access the endpoint. This method can be easily bypassed if the attacker knows your IPs.
Captcha: Use Captcha to block automated requests.
Please take note that it's a vague opinion. Depending on your needs, you can choose the solution and tweak into it.
1 like
Level 1
API Key: I already tried but it is useless, if I send the apikey by url as a parameter it is visible, if I send it as a header it is visible.
Basic Authentication: I don't want to use that yet.
OAuth 2.0 or JWT token-based authentication: I will try that today.
IP Whitelisting: the problem is that the attacker use proxies (I guess) and change ips constantly and I have already blocked several ips, I did something like if in 10 minutes there are X number of requests I block the ip, but as it constantly changes ip does not serve me protection.
Captcha, I thought about it, the problem is that I can not identify which would be an automatic request.
I use VueJs as frontend, I also use axios. If you have any suggestions on the client side it would be good.
these days every 6 hours I'm changing the url of the endpoint, I'm making it a little complicated for the attackers but they always steal the information from the endpoint.
@sinnbeck let's say it's a list of songs by a certain artist, anyone can access them, I don't need a user to log in to see them. but the problem is that playlist is not easy to get, it takes some time and work, and my clients don't want scrapers to steal that information and make money with it.
Level 102
What is it used for since it does not require authentication? Sounds like they are using it as it's meant to be used?
Level 75
Exactly what are you wanting to protect, since it's public anyway. Are portions of it supposed to be protected.
I suggest viewing here at least some of the free training on security. And look over the laravel passport chapter in the documentation.
1 like
Level 80
@m16u31 Not really sure what you’re expecting? If you don’t want people scraping your API then add authentication.
It’s like leaving your doors and windows unlocked and open, then complaining your house keeps getting burgled.
2 likes
Please or to participate in this conversation.