There is no secret being exposed; the API Key that is provided by KOR Connect is meant for identifying users' projects and the usage of the service, as well as troubleshooting when developers run into issues. Having access to this public key doesn't grant you access to the specific API you are using or to your API's key. The public URL that is provided by KOR Connect has a number of security layers implemented when it is being called to reduce the likelihood of malicious activity making it through to the integrating API, preventing automated attacks, and disruptions of service.
KOR Connect, as stated by the article, is meant to integrate APIs that are for public facing websites/ applications that don’t require user authentication. Financial applications would require some kind of user auth before allowing access to sensitive information which KOR Connect does not currently offer.
The KOR api key IS a secret, any secret that lets you leverage other secrets is transitively a secret. And its exposed, no matter how good this fraud detection is..unless its leveraging the equivalent of client certificates it can be hacked. You can never really know the client, you can NOT track ips cause botnets. You can NOT profile api requests you dont understand for maliciousness. And now kor has your secret..so youve opened you secret to an attack on kor.
Your wrong about financial institutions, they have app to app api keys all the time all it takes is one dev to use this product for that use case and boom..chaos
Im guessing youll delete this comment, but this is a flawed and dangerous product.
CORS is pretty tight. If the allowed origin is strictly from the host domain you're not going to have any problems with people poking around from postman.
Besides, the API you're connecting to should be secure in its own right if it's dealing with sensitive information lol. It's not up to a relay to protect data which is what this is, a weak bastion of sorts.
my curl/wget cares nothing about CORS. KOR is positioning positioning itself as a secure way to connect to http services requiring a secret by issuing a different KOR key and saying they'll detect miss-use. anyone can go to a site using KOR and see the KOR key, and curl the same request. it's a broken idea, and scary that there are tech folks out there such as yourself who don't understand it as such immediately
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
There is no secret being exposed; the API Key that is provided by KOR Connect is meant for identifying users' projects and the usage of the service, as well as troubleshooting when developers run into issues. Having access to this public key doesn't grant you access to the specific API you are using or to your API's key. The public URL that is provided by KOR Connect has a number of security layers implemented when it is being called to reduce the likelihood of malicious activity making it through to the integrating API, preventing automated attacks, and disruptions of service.
KOR Connect, as stated by the article, is meant to integrate APIs that are for public facing websites/ applications that don’t require user authentication. Financial applications would require some kind of user auth before allowing access to sensitive information which KOR Connect does not currently offer.
The KOR api key IS a secret, any secret that lets you leverage other secrets is transitively a secret. And its exposed, no matter how good this fraud detection is..unless its leveraging the equivalent of client certificates it can be hacked. You can never really know the client, you can NOT track ips cause botnets. You can NOT profile api requests you dont understand for maliciousness. And now kor has your secret..so youve opened you secret to an attack on kor.
Your wrong about financial institutions, they have app to app api keys all the time all it takes is one dev to use this product for that use case and boom..chaos
Im guessing youll delete this comment, but this is a flawed and dangerous product.
CORS is pretty tight. If the allowed origin is strictly from the host domain you're not going to have any problems with people poking around from postman.
Besides, the API you're connecting to should be secure in its own right if it's dealing with sensitive information lol. It's not up to a relay to protect data which is what this is, a weak bastion of sorts.
my curl/wget cares nothing about CORS. KOR is positioning positioning itself as a secure way to connect to http services requiring a secret by issuing a different KOR key and saying they'll detect miss-use. anyone can go to a site using KOR and see the KOR key, and curl the same request. it's a broken idea, and scary that there are tech folks out there such as yourself who don't understand it as such immediately