Geek Answers Handbook

How to send a form to my server and then to the API, and not publish it directly (for security reasons)?

There is an integration with the API for interactive online classes. The API wanted us to submit a form to our site along with the customer_token parameter as an input field. It is used to authenticate the API, and each client is assigned one token. A client identifier is actually a hashed value of a domain name or IP or something like that.

Now, after integration, they want me to somehow hide the customer_token input field from access via firebug from mozilla and similar tools, because anyone can see the token and send a similar form of the API and access the API service, Of course, the API is not developed by some experts. They did not understand the problem before, and this is not a widely used API.

I asked a question earlier. Best way to hide form input field from access using firebug? and realized that it’s impossible to hide any information using the get / post method. Someone asked me if the request is sent directly to the api or first to my server or something like that?

Please explain how to fix the security issue and how to implement it?

Thanks Sandeepan

0
source share
2 answers

You can send POST to your server, which in the script, POSTs all the parameters for the action of the API form, but with customer_token added in your script to the server side, which clients cannot see.

So you have the original form:

 <form action="http://someapi.com/blah" method="POST"> <input type="hidden" name="customer_token" value="foo"> <input type="text" name="whatever"> ... </form>

And use instead:

 <form action="myapiblah.php" method="POST"> <input type="text" name="whatever"> ... </form>

Note that in the second example there is no customer_token . Then in myapiblah.php - change the name, obviously, especially depending on the server-side language you are using. I could provide more specific examples if you tell me what you are using - use something like this psuedo code:

 parameters = $_POST; parameters['customer_token'] = 'foo'; send_http_request('POST', 'http://someapi.com/blah', parameters);

You will need to know the details of using send_http_request .

In PHP, you would do something like this if you can use pecl_http in PECL:

 $params = $_POST; $params['customer_token'] = 'foo'; $req = new HttpRequest('http://someapi.com/blah', HttpRequest::METH_POST); $req->addQueryData($params); try { $r->send(); if ($r->getResponseCode() == 200) { // success! } else { // got to the API, the API returned perhaps a RESTful response code like 404 } } catch (HttpException $ex) { // couldn't get to the API (probably) }
0
source

you asked that you were right! does the form first on the web server? this means that the site is hosted on a regular URL for which apache or another web server accepts the request or the form goes to certain services (for example, a web server, which is also only a service that listens on port 80 for web servers , mostly). if you hide the field in a web form, it is useless. if you look at the source code of the site, you will still see a hidden field. !!

0
source

More articles:


All Articles