What is the best practice to utilize a form to send data to an API in a call while limiting the users access to the code?
If we assume the Web Site is secured by a login, then you would write code or add configuration that only allows user's with the appropriate privileges to access the form.
The site is an intranet site. It has a database of users with permissions and we store session data in a table.
The API uses SOAP. I am concerned that if I add credentials and access to the external API from our site, users may be able to access to connection information.
How do I know the SOAP authorization code and execution of calls is limited to our designated form or method?
Not really. My manager has some experience with this particular API, but I am more concerned with best practice. Could you please suggest a link that would get me in the right direction of beginning my understanding of protecting my API code in my internal
site? I was searching "Securely access an external API from your website" but I could not locate something that fit the answer I am looking for. As I proof read my response I am seeing that I can search for Protecting Code in your Web App.
I will start there but any suggestion of material from someone with more knowledge would be greatly appreciated.
you don't secure the external api (that's their job). you secure your site. your site (even if only web pages) becomes an open api. the code that calls the external api, should verify the user is allowed to make the call, and the data passed is allowed to
sent by the user.
if your site is given admin access to the second site, rather than passing the user, then you need more verification of the requests.
None
0 Points
3 Posts
Website to Connect to External API
Jun 24, 2020 03:08 PM|JJMunsterteiger|LINK
We have a website where we are creating a Help Desk ticket portal. We would like to connect this site to our Auto Task API.
I am confused as to where to place the code for the connection into our website's structure in order to ensure it is secure.
What is the best practice to utilize a form to send data to an API in a call while limiting the users access to the code?
Thanks
Jason
All-Star
53711 Points
24036 Posts
Re: Website to Connect to External API
Jun 24, 2020 03:49 PM|mgebhard|LINK
How does your Web Site and Web API security work?
If we assume the Web Site is secured by a login, then you would write code or add configuration that only allows user's with the appropriate privileges to access the form.
None
0 Points
3 Posts
Re: Website to Connect to External API
Jun 24, 2020 09:12 PM|JJMunsterteiger|LINK
The site is an intranet site. It has a database of users with permissions and we store session data in a table.
The API uses SOAP. I am concerned that if I add credentials and access to the external API from our site, users may be able to access to connection information.
How do I know the SOAP authorization code and execution of calls is limited to our designated form or method?
Thanks,
Jason
All-Star
53711 Points
24036 Posts
Re: Website to Connect to External API
Jun 24, 2020 10:09 PM|mgebhard|LINK
You are asking this question as if your application and security model is common knowledge. Perhaps someone on your team that can help you?
None
0 Points
3 Posts
Re: Website to Connect to External API
Jun 25, 2020 12:15 PM|JJMunsterteiger|LINK
Not really. My manager has some experience with this particular API, but I am more concerned with best practice. Could you please suggest a link that would get me in the right direction of beginning my understanding of protecting my API code in my internal site? I was searching "Securely access an external API from your website" but I could not locate something that fit the answer I am looking for. As I proof read my response I am seeing that I can search for Protecting Code in your Web App.
I will start there but any suggestion of material from someone with more knowledge would be greatly appreciated.
Jason
All-Star
58474 Points
15788 Posts
Re: Website to Connect to External API
Jun 25, 2020 08:03 PM|bruce (sqlwork.com)|LINK
you don't secure the external api (that's their job). you secure your site. your site (even if only web pages) becomes an open api. the code that calls the external api, should verify the user is allowed to make the call, and the data passed is allowed to sent by the user.
if your site is given admin access to the second site, rather than passing the user, then you need more verification of the requests.