I am a Full stack .NET Developer, I like to work with C#, Asp.Net Core, SQL, Mongo DB, Azure, JavaScript...
Always eager to learn new technologies. I am here to share, ask & eventually learn.
I am new to this stack, I have another question. Suppose you have a API and Client side App in JavaScript which make requests to API to get some data.
How can we securely store API key or token in the client side JavaScript Code or React App , because anyone can see the JS code in browser isn't ?
Also how we can secure the API ? Because I heard that even if CORS will not allow other host to call my domain , we can hack it by using Curl and act as the same domain.
I use cookies for authenticating the users.
You are 100% correct that it is not safe to use API keys in the browser.
Usually, if you want to use API keys, they must be issues every session and can last only for a few minutes.
Once you implement cookies or any system for authenticating the users, you don't need to be afraid of a 3rd-party calling your service.
I am a Full stack .NET Developer, I like to work with C#, Asp.Net Core, SQL, Mongo DB, Azure, JavaScript...
Always eager to learn new technologies. I am here to share, ask & eventually learn.
Nice 😄, If possible , can your share a post on how you used cookies based implementation in high level using this stack, like frond end and back-end stack used and how you made request to the back-end API from front end using cookies ? Like were the cookies was generated in client side or server side and how it was used to authenticate the API etc.
Check out the video series from Auth0 on authentication. Depending on your use-case (which yours falls into) there are still many choices. Auth is hard and filled with a ton of pitfalls. There are arguments to be made with JWTs, but the tried and true here is to use cookies and ensure that it is http-only, but it’s best to not just let me tell you. It’s better if someone else asks you and you can explain why you made this choice out of many. Those videos are short and very understandable.
I am a Full stack .NET Developer, I like to work with C#, Asp.Net Core, SQL, Mongo DB, Azure, JavaScript...
Always eager to learn new technologies. I am here to share, ask & eventually learn.
Even with Auth0, you have many choices — like JWT or cookie-based sessions. Auth0 provides many “strategies”, but it’s best to know which works best with the right trade-offs. Like, do you understand why JWTs may be insecure? Did you know that if you have a separate client and API both served from the same domain makes the headaches of having an auth server almost moot? These are good things to know when making an auth choice that underpins access to your systems. The wrong choice is hard to find time to re-do when you’ve already got live users
I am new to this stack, I have another question. Suppose you have a
API
and Client side App inJavaScript
which make requests toAPI
to get some data.How can we securely store
API
key or token in the client sideJavaScript
Code orReact App
, because anyone can see theJS
code in browser isn't ?Also how we can secure the API ? Because I heard that even if
CORS
will not allow other host to call my domain , we can hack it by usingCurl
and act as the same domain.I use cookies for authenticating the users.
You are 100% correct that it is not safe to use API keys in the browser.
Usually, if you want to use API keys, they must be issues every session and can last only for a few minutes.
Once you implement cookies or any system for authenticating the users, you don't need to be afraid of a 3rd-party calling your service.
Nice 😄, If possible , can your share a post on how you used cookies based implementation in high level using this stack, like frond end and back-end stack used and how you made request to the back-end
API
from front end using cookies ? Like were the cookies was generated in client side or server side and how it was used to authenticate theAPI
etc.I will do my best!
Check out the video series from Auth0 on authentication. Depending on your use-case (which yours falls into) there are still many choices. Auth is hard and filled with a ton of pitfalls. There are arguments to be made with JWTs, but the tried and true here is to use cookies and ensure that it is http-only, but it’s best to not just let me tell you. It’s better if someone else asks you and you can explain why you made this choice out of many. Those videos are short and very understandable.
Thanks for sharing ☺️
Thanks, Curious If
Auth0
filled with a ton of pitfalls then why should i check the videos ?Even with Auth0, you have many choices — like JWT or cookie-based sessions. Auth0 provides many “strategies”, but it’s best to know which works best with the right trade-offs. Like, do you understand why JWTs may be insecure? Did you know that if you have a separate client and API both served from the same domain makes the headaches of having an auth server almost moot? These are good things to know when making an auth choice that underpins access to your systems. The wrong choice is hard to find time to re-do when you’ve already got live users
I just us AWS Cognito with AWS API Gateway