You only control the server

I recently worked on a project using the venerable Angular JS (yes, Angular ONE) and Django Rest Framework on the backend. The former developer was not seasoned in web app development and made some mistakes.

  • He forgot to authentify the user for some API calls
  • Some API calls provided information calculated on client side, like an amount for a transaction.
  • Some API calls were dangerous, like a call to delete the whole database (and of course, not authentified on server side)

Nowadays, client side frameworks have become big pieces of software that can handle a lot. I guess that's why people tend to forget that the backend has its importance. We even speak about serverless architecture! So it's tempting to do the most of computation on client side and to have an API only responsible for translating JSON to database queries.

Unfortunately, the developers have no real control over the client. You may think that every users will connect through a browser, but one can also use your API using cURL. Even in the browser, the requests can be modified and rerun from the provided developer's tools. I don't even talk about Burp Suite!

Security and Consistency of your system is the responsibility of your server. That doesn't mean that the client should not implement any business logic and get back to web 1.0. For instance, in case of an order, the client can retrieve product information, and make buying suggestions to the user. Then it only sends product identifier and quantity as order data during checkout.

Do not accept a price coming from the client to carry on a transaction: get the order details and recompute the price of the whole order.

Do not assume that a client is authentified because you set a cookie on client side. Check that the caller has actually the right to perform the action at each call.

And please, do not leave an API method that drops everything in your DB, unless restoring backups is your hobby (did you ever consider a healthier hobby?).

Posted on 2019-03-10 at 21:14

Tags: programming, security

Previous Back Next