Hey awesome person! Thank you for reading this post. I am super happy to have you here. Today is the 9th day of my #30DaysOfCode challenge. The challenge has been so much fun for me that I can't explain in words. I have learnt and grown a lot in the last 9 days. You all have been very supportive in my journey so thank you for that too.
Now, today I would like to talk about a simple trick that can make our API very secure. Whenever you are writing code for user signup, you should keep this neat little trick in mind. The trick is really helpful and can protect you from attackers. Enough of the talking, let's just take a look at the code.
Both the example works and both will create a user but there is a serious problem with the first example. In the first example, we are just directly creating a user from all the data sent by the client. This is very unsecure because there are many other fields that you don't want the client to set. For example, you don't want the client to set the passwordResestToken or passwordResetExpiryDate but in the first example, the client will be able to do so because we are not filtering or processing the data. The client will be able to set the fields which they should be. But this can be fixed easily with the second example approach.
In the second example, we are creating a user only from the fields which we want. We are deconstructing name, email and password field from the data send by the client and we are creating a user from these fields only. This way the client wouldn't be able to set the passwordResestToken or passwordResetExpiryDate or any fields which are not required in registering user. So, always choose the second example over the first example.
This simple trick can really save you from attackers. But this simple trick does not mean that you are safe from all the other vulnerability. You still need to learn more about API security and I am pretty sure that you will.
Alright! That's all for today. Don't forget to like and share this post if you found it useful.
This is me, Signing Off!
Connect With Me:
Youtube: ShubhamSauravYT.
Twitter: @hiShubhamSaurav
Instagram: @hiShubhamSaurav
Facebook: @hiShubhamSaurav
Top comments (0)