alexmac05
asked on
Client-side only rest api implementation and security
Someone has suggested that I do a client side only rest api implementation using Angular or another MV* frontend framework. However, it is my understanding that client side only is not safe to have sensitive information flowing back and forth to API, like the API KEY.
Is there an external source known to someone here that could be used to fetching credentials and enforcing CORS - cross-origin resource sharing?
Any tips or best practices or advice on this ask would be appreciated.
Is there an external source known to someone here that could be used to fetching credentials and enforcing CORS - cross-origin resource sharing?
Any tips or best practices or advice on this ask would be appreciated.
ASKER
Thank you!
ASKER
Hi Julian,
To be clear, this would be access to a 3rd party API that does not accept JWT's right now. So, I don't think that would work.
Also, exposing the API key on the client side would not work.
Lastly, if you proxy the API key through a server side script that handles third party auth then basically you are relying on server side for the security.
I'm not sure how any of these things make SPA secure.
To be clear, this would be access to a 3rd party API that does not accept JWT's right now. So, I don't think that would work.
Also, exposing the API key on the client side would not work.
Lastly, if you proxy the API key through a server side script that handles third party auth then basically you are relying on server side for the security.
I'm not sure how any of these things make SPA secure.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still wrapping my head around this. Thanks for your response
You are welcome.
There is absolutely no reason why an SPA cannot be secure.
There are two kinds of access concerns
1. Access to your own REST API - this is where JWT's play a role. The nice thing about JWT's is that they can be used across disparate systems unlike cookies
2. Access to third party API's that require a key - in this case the solution is no different than a server rendered application. You either expose your key in the front end or you proxy it through a server side script that handles the third party auth for you away from prying eyes.
Bottom line - there is no merit in the claim that SPA's are less secure.