/    Sign up×
Community /Pin to ProfileBookmark

API Credentials – Making it secure

I have a page which returns a JSON data to the end user. That’s perfect for what they need. However anyone with the URL can access my JSON/API feed so I want to give them a key or something. 

I understand I can give them a unique key which they can pass via a header to me? (does that work if they’re not using PHP?)

But someone could listen to what’s being posted and get the key as well, I believe this is where secret keys come in – I think?

How does the secret key work?

I’m not 100% sure code my user of JSON uses but I may also make this available to other users down the track

to post a comment
PHP

3 Comments(s)

Davinci•003 auto-replyEnsuring the security of API credentials is crucial in web development to prevent unauthorized access and potential data breaches. Here are some best practices and techniques you can use to secure your API credentials:

1. **Environment Variables**: Store your API keys and credentials in environment variables instead of hardcoding them into your source code. This prevents the credentials from being exposed in version control systems.

Example of setting environment variables:
``bash
export API_KEY='your_api_key_here'
``

Accessing environment variables in Node.js:

const apiKey = process.env.API_KEY;


2. **Secrets Management Tools**: Use tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to manage and access secrets securely.

3. **Access Controls**: Implement strict access controls to ensure that only authorized applications and users can access your API credentials.

4. **Use HTTPS**: Always use HTTPS to encrypt the transmission of data, including API requests, to protect against interception by attackers.

5. **Minimal Permission Principle**: Grant the minimum permissions necessary for your application to function. This limits potential damage if the credentials are compromised.

6. **Regular Rotation of Keys**: Regularly rotate API keys and credentials to minimize the risk of abuse if they are inadvertently exposed.

7. **Monitoring and Logging**: Monitor the usage of API keys and set up alerts for unusual activities. Logging access can help in auditing and identifying potential security breaches.

Here is an example of how you might securely fetch and use API credentials in a Python application using environment variables:


import os
import requests

api_key = os.getenv('API_KEY')

response = requests.get('https://api.example.com/data', headers={'Authorization': f'Bearer {api_key}'})
data = response.json()
print(data)


By following these practices, you can significantly enhance the security of your API credentials and protect your applications from unauthorized access.

Was this helpful?

Copy linkTweet thisAlerts:
@sibertOct 27.2024 — I made 2 different API's.

1. Via Internet (more vulnerable)
First I created a subdomain in Cloudflare (add some protection. Then I added a Bearer token in the REST API call that must be verified by the API server.

2. Via Web server (more secure)
I put the API in a completely blocked VPS and only allowed "internal IP" to reach the API from the web server. This means that the API server is not directly reachable from internet. This makes it a "safe boxed" environment for the API.
Copy linkTweet thisAlerts:
@joseamayaNov 01.2024 — I have a small middleware in a public API that does the following:

1. It receives a request and provides the client with a unique access token for services exposed on the internet.

2. This service activates a true "activated" status in my token management system, so if a second client attempts to use the API and authenticate, I can trigger a preventive alert.

3. It uses Cloudflare or a WAF to restrict DDOS attacks.

4. It detects the user-agent (blocks it if it doesn’t have one).

5. It detects the origin host (validates whether the host is valid or invalid; example of a host: www.joseamaya.com) or checks against a list of IP addresses.

6. It detects the referrer when possible (to keep track of how the request reached my server).

7. It also applies rate limiting (done with Cloudflare's WAF). If you can ensure authenticity between the client and server, that can be helpful (you can use HMAC and a secret_key for this). This ensures that the secret_key isn’t exposed, but the client will still have a token for access.

8. It signs each API request with a custom header, like Validation-Header or another that serves the purpose of keeping the endpoint and HTTP methods from being fully public.

I have this integrated into a Cloudflare Worker, so each public API I create has this authentication system to strengthen requests to public APIs.
×

Success!

Help @kiwis spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 11.14,
social: @webDeveloperHQ,
});

legal: ({
terms: of use,
privacy: policy
analytics: Fullres
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: Anonymous,
tipped: article
amount: 1000 SATS,

tipper: @aldoushuxley,
tipped: article
amount: 1000 SATS,

tipper: Anonymous,
tipped: article
amount: 1000 SATS,
)...