If we're using Firebase hosting, how would we access someone's API without server-side scripts like php?
Firebase hosting only hosts static files. So in order to call external api, you've to do it from JavaScript using fetch/axios or something like that. However, if the api endpoint hasn't enabled CORS for your domain, your browser doesn't allow to make that request for security.
I ended up figuring out how to do it using php.
Related
I have an API developed in PHP for my Flutter web app. I am using this API to fetch all the data. But, I can see all the requests made to the server.
Is there any way to hide/restrict any unauthorized person to use my API? I am using HTTP library to make calls from my flutter app to API. I just want to hide those calls to web API. I have seen some websites do that. Since the server code and website code in those websites are in the same directory it can be accessed directly without having to make a request to the webserver.
Two problems I see are
You are able to see all the request made to backend server from your web page and you want to hide them.
The answer to this is No you cant. I say this based on my search in google and some posts in SO like this
You may think about disabling the developers tools. The answer is No and maybe with unknown side effects.
Is there any way to hide/restrict any unauthorized person to use my API?
The answer to this question is yes and can be done in many approaches. Like you said token based authorization has its own issue with keys being leaked and thats why there is always validity associated with it and should be considered. There are mechanisms such as refresh tokens to renew tokens etc.
The first and foremost thing I would do is enable CORS mechanism in your sever where the server will only allow request from very specific domains to be processed. More details available here
I made an API for PHP which provides data to the Windows 10 UWP app to load data from MySQL. I would like to make sure that only the app has access to that data and people can't just check it out from a browser. Do you guys have any idea how to do it? Can I send a unique id from my app and check if it is real on the back end of the PHP server?
If you do not want to authenticate your users. You could pass the Appid in the header.
string appId = CurrentApp.AppId.ToString();
and only allow gets and posts with information included to use your api. It might be better to use an authentication service like an oath provider. This would be a much more secure way to go. Someone could easily spoof your app if you are not using https to communicate with your backend.
I am implemented In App Billing for android.I wanted to implement subscription validity checking through my backend server. As Google Play Documentation, for making call for Google Play API,need authentication using oauth 2.0.
I followed instructions for registering project and creating credentials. But from there I have no idea how to use those credentials, I tried authentication via CURL request, but it asking permission as shown in follwing image
This permissions works fine I can exchange code and get access token, but all this done by manually, how should I implement this on backend.
I even try to use google api php library provided by Google, but It adds confusion. Also they didn't provide any example, how to use library.
Can anybody elaborate how exactly use library or pure php?
Thanks in advance.
To perform LVL and/or IAB validation on a server, do not access Google servers directly from the server. Even if all information were available, you would face integrity problems, because your app and your server will see different information due to synchronization latencies.
Instead, use your app as a proxy and validate the Google Play information on your server as described here.
I have an API written in PHP that works by receiving HTTP POST requests, the API will then process the request and output some XML.
I have an Android application that is communicating with this API successfully.
My question is how do I make this secure?
I was looking into using OAuth, but for PHP it uses a library that is not available to me.
Plus as the API is not public and only to be used by external applications created by myself, this seems a bit overkill.
What other suggestions would you recommend? I was looking at sending an API key/signature along with the POST request.
It should be done the same way you make javascript calls secure. You use sessions. You should be able to send and receive headers, why not accept cookie-like data? At least session_id. Securing with SSL for open wifi hotspots would also be very beneficial if you use symmetric authentication.
OAuth has a different purpose - its when your website starts to host third party applications that users want to use without giving this app own password.
Recently I programmed a little app for my android device. As the datastorage for the app, Iam using a mysql database, which can be accessed via different php scipts. So all the app does, is it sends POST requests to the php scripts to communicate to the database.
But now I consider about the security aspect. These php scripts can be accessed by every webclient. So every webclient has the possibility to compromise my database, which is of course not the ideal case.
So I was wondering if there is a way to just allow authorized clients to use these php-webservices?
Does php provide any kind of authentification that can be used by an android client?
Cheers
You simply need to require an authentification when invoquing the service:
simple and dirty: http basic auth, like Twitter used to do
a better solution is OAuth, like Twitter now does
There are of course other possibilities (WS-Security, but you don't seem to use SOAP).
for security, you should prefer to interact through an API to your mysql...isn't it?
A few points:
Use a different port (i.e: not 80 or 8080) for the web access
Add authentication with a username and password. Inside your application, you can get these from a secure config file.
On the server side, you can also do some checking on user agents, IP addresses and maybe even device ids.
This is just a start