You only control the server
I recently worked on a project using the venerable Angular JS (yes, Angular ONE) and Django rest framework as backend. The former developer was not seasoned in web app development and made some mistakes.
- He forgot to authentify the user for some API calls
- Some API calls provided information calculated on client side, like an amount for a transaction.
- Some API calls were dangerous, like a call to delete the all database (and of course, not authenified on server side)
Nowadays, client side frameworks have become big pieces of software that can handle a lot. I guess that's why people tend to forget that the backend has its importance. We even speak about serverless architecture! So it's tempting to do the most of computation on client side and to have an API only responsible of translating JSON to database queries.
Unfortunately, the developers have no real control on the client. You may think that all your users will connect through a browser, but one can also use your API using cURL. Even in the browser, the requests can be modified and rerun from the provided developer's tools. I don't even talk about Burp Suite!
Security and Consistency of your system is the responsibility of your server. That doesn't mean that the client should not implement any business logic and get back to web 1.0. For instance, in case of an order, the client can retrieve product information, make buying suggestion to the user. Then it only sends product id and quantity as order data during check out.
Do not accept a price coming from the client to carry on a transaction: get the order detail and recompute the price of the whole order.
Do not assumed that a client is authentified because you set a cookie on client side. Check that the caller as actually the right to perform the action at each call.
And please, do not leave an API method that drops everything in your DB, unless restoring backups is your hobby (did you ever consider a healthier hobby?).
Posted on 2019-03-10 at 21:14Previous Back Next