Best practice for using an external API securely


#1

So I’m working with an external API and it requires a user id and a token, I am wondering what some best practices are for working with such a use case in ember js so as not to allow just anyone to open my apps files, grab out the url and figure out how to hit it over and over and DDoS or potentially lock my API out for too many calls.

I’m not too worried about it at this point in a small project I’m working on but in the future if I start building out Apps that interface with API’s I want to have this info at the ready.


#2

I think it would be the best to call that API from an proxy server application (like Rails, Scala, whatever) and forward calls without any sensitive informations to your ember client.

Ember Client -> Your Server Application (acting as a Proxy) -> API’s Server Application


#3

Okay, I’ve heard of rails being a good candidate for using it alongside ember but what other server based technologies are best to use that will get this sort of job done?


#4

I don’t see the value of the proxy. How is the proxy server less susceptible to a DDOS attack than the original API’s server? Unless I’m an expert on internet security, wouldn’t I be better off trusting that the people running the external API are going to do a better job of defense against malicious use than I would?


#5

It’s about user ID and token, if you put those stuff directly in your javascript app, it’s easy for an attacker to determine/extract your credentials and use it. If you put a proxy between your client application, the source of your Data/API is hidden by your application. You are better in control. But yes, this does not help against DDOS attacks (but using ngnix with flux/rate control/limiting or a firewall helps).


#6

Additionally, you could cache requests to an external API to prevent hitting a usage limit :smile:


#7

Ahhh! Thanks for the explanation.


#8

Yes I plan to look into doing that once I get to that point in my development cycle. But I first must learn how to use Ember in the first place.