DEV Community

loading...

Discussion on: Should routing go before security?

Collapse
christalib profile image
chris

Consider this: An attacker finds a way (and eventually he or she would) to walk through the entire API and find all the endpoints. Then move to craft a token and try to bypass authentication.

Or, would it be harder to first craft the authentication and then find the endpoints.

Which would, if successful, damage your product the most? Which would, if successful, be detected first?

I don't know anything about your product but those are, I believe, interesting questions to go through.

Collapse
rytis profile image
Rytis Author

I don't think API endpoints themselves are a huge secret. But if we require a valid token first, then it will be easy to see which user is trying to scan the API. Due to the nature of our business, the users are linked to real identities, so it would be easy to track which real person is doing the scanning (or who's account was compromised).

I think I kinda answered my own question here. Thank you for formulating the right questions for me to ask.

Collapse
christalib profile image
chris

My pleasure! Keep it up!