What is the best way to protect an API?

[sammyskills]

Hi everyone,

From the docs, Shield🛡️ provides a way to generate an access token (or tokens) which will be checked on all incoming requests as set in the filter. This works well if you assume that "you know where the request is originating from". For example, from a mobile app or third-party app.

But what about cases where the API is created, but you want to limit access to the API routes to only specific or predetermined sources?
See this scenario:

• I've developed an API, the endpoints are publicly available (which is what we currently have)
• To authenticate a user, I'll have to generate an access token, return it to the user so it can be saved and included in the header for subsequent calls.

Now, what if, before the authentication, I don't want everyone to have access to the endpoints? Like putting an extra security somewhere that checks if this request is coming from an approved source, something along the lines of API_KEY to be added to the BEARER token that is checked in the header?

• Is this an overkill?
• Does it follow API security best practices?

If this is okay, what are the best ways to achieving something like this?
I understand that I'll have to create an store the API_KEY somewhere (database, as an environment variable, etc), but what is the best way to add the extra check:

• included in the header, or
• as a form field ?

Thank you.

[kenjis]

Maybe I'm not understanding the question well, but if you want to protect your API,
wouldn't it be better to check if the request header contains a token?

[sammyskills]

How does a user know the key? If you have a way to share the key with the user, it can protect the register page when the key is private.

I intend generating a key, store it in the database. This key will then be shared with specific users who I want to grant access to the API.

I don't know because I don't know your details. If anyone can get the key easily, it does not help a lot.

The idea is to make the API private, so the key cannot be gotten easily except it is shared by the developer.
For example, twilio API, users must provide SID and other necessary keys before getting access to expected values.

[kenjis]

I intend generating a key, store it in the database. This key will then be shared with specific users who I want to grant access to the API.

My questions is:

• how do you authenticate the user when you share the key?

If you have a secure way to inform the key and the key is unguessable, using the key makes sense.

[sammyskills]

• how do you authenticate the user when you share the key?

Actually, there are two options I'm considering: as an additional header or as a form field. Which do you advise?

If you have a secure way to inform the key and the key is unguessable, using the key makes sense.

Yes, I do. The key will be unguessable just like the rawToken generated by shield. This key will be shared with a frontend developer via email.

[kenjis]

This key will be shared with a frontend developer via email.

Thank you. I got your situation. You have developer contact list already, and can send email.

an additional header or as a form field

For security It doesn't matter which one.
They both will be sent in a HTTP request. The only difference is the place,
in a request header or request body.

Adding the key to a header might make the implementation a bit cleaner
since the request body is just data.

[sammyskills]

Thank you @kenjis.