Due to the nature of the product am working on,a fintech solution,i have to interact with multiple APIs. While doing this,i discovered some really cool techniques one can build a much more secure API without sacrificing ease of access.
You may be thinking ,why do i need another security layer? i can use either the basic auth or header token bearer and maybe even just create a secret/public key for the endpoint user/client to protect access to my API service Yes you are right! but it won't be bad also to give you API more security and also what if someone else somehow gain an access to authorization credentials? won't it make sense if even the access is stolen,and the data useless because its encrypted? for the next few seconds/minutes you will use reading this article,i will be discussing two of approaches i have discovered.
Approach 1
in this approach ,we are to hash a variable(s) and a secret keywords or even the whole payload using the agreed encrypting algorithm.
so for every request to the server ,the server compare the hash value to check for its authenticity and also the client check the authenticity of the data received before performing any further action.
for example ,lets assume the interaction below is between two systems;the server and the client, the agreed hashing algorithm is unreal256 that can be used with thehash() function. Assuming we have an API server that returns user's transaction histories to another system.We can choose to hash some values like userID +sharedSecretKey+...
{
"userID":6,
"hashed":"z332Xcte3490"//hashed string returns by hash() our unreal hashing function
}
Before either party process any request ,it must check the authenticity of the request received by comparing the hashed value in the received payload.
To even make the process much more secure ,we can even implement our API in such a way that before the client server can perform any action they must send something like an initializing request to the host server that give a random characters(saved by host server) as response for the client server to hashed with other variables and predefined characters or values.
Approach 2
In this approach ,we will be using the The GNU Privacy Guard the library/application is describe as below on the official site
GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories.
Basically in this approach,each party exchange public keys,and encrypt request/response with each other public key while each one decrypt with its own private key.
for example System A will encrypt with system B public key and System B will encrypt also with System A public key when sending request , each one decrypt response with its own private key.
for more data privacy, we can then choose to encrypt the whole payload and send/receive as just a text(hashed value).
to use this approach in your javascript application ,you can checkout the project OpenPGP
and for PHP check OpenGPG PHP
Got some other approaches you will want others to learn? please comment it below and lets learn together.
Top comments (0)