I am developing an API for a project in which I participate. The API will be consumed by the Android, iOS app and desktop site. Almost the entire API is available only to registered users. The API allows authentication through WSSE, which is great for mobile applications, but not so good for a website. However, I use Symfony2 to develop the API, and I configured it to allow access to the API using WSSE and / or session / cookie validation (multiple firewalls with a common security context, if you're interested).
With a similar API like this, I am concerned about cases of abuse. For example, take my registration method. I just want it to be used by apps or a website. However, nothing prevents someone from writing a simple script to mask the API with dummy signatures. Then there is concern for CSRF. Since the API may be accessible by a registered user, then there is a risk that it may be used.
I do not want the API to be publicly available, but I do not know if this is possible, given that it will be used by the site. Is there anything that I can remove (or reduce) the risks and vulnerabilities?
Sincerely.
source
share