The security of the backend is very important to a full-stack web application. A less secured backend is more vulnerable to attacks and threats. An application vulnerable to attack is setting itself up for failure in the future. Business revenues and users trust can be lost because of an unexpected breakdown of the web application due to a security attack on the backend
It is important to build the backend application with security in mind and here are 5 tips to consider while developing the backend of a web application
- Validate all incoming requests
- Use HTTPS
- Limit the number of login attempts
- Limit the number of an API request
- Support blacklisting JWT tokens
The API is the entry point to the backend. It sends data to the backend application and receives a response to be consumed by the client (Browser, Mobile Application, etc). The backend application processes the data received by the API based on the business logic and sends back an output via the API. There are several reasons why incoming requests should be validated before it is consumed by the backend application and they are listed below:
- To ensure the API contains the required data
- The data in the API request is in the right format
- The API request contains the required authorization header to send and receive data
- There are no malicious data in the API request
- The API does not have a request data that is larger than the required size
HTTPS is a combination of the HyperText Transfer Protocol and Secure Socket Layer. It is used to secure the data transfer between your backend application and the client (Browser, Mobile application, etc) by encrypting the data to prevent Man in the middle attack (MITM). For applications transmitting sensitive information/messages such as login credentials, payment information, user data, it is necessary and important that such application implements HTTPS
Advantages of using HTTPS include
- Secure data transfer
- Data integrity – Data can not be altered in the process of transmission
- Data transmission is faster than HTTP because the encrypted data in HTTPS has a reduced size compared to HTTP
It is important to limit the number of login attempts by IP address, this is to prevent a brute-force attack by an attacker. A brute-force attack is a process of submitting multiple passwords in the hope that one of them would be correct. Your backend application can blacklist the IP address of a user once the number of login attempts is more than the default number set in your backend application.
In addition to limiting the number of login requests by IP address, it is also important to limit the number of API requests an IP address can make within a time-frame, this is to prevent DDOS (Distributed Denial Of Service) attack.
A DDOS attack is a malicious attempt by an attacker to disrupt the normal flow of traffic on your server by flooding it with abnormal internet traffic. In simple terms, the attacker will be making millions of requests per traffic to slow down or stop your server entirely.
Your hosting company or server engineers can put an infrastructure in place to prevent DDOS attacks on your server, but it is also important to go the extra step by implementing an API request limiter in your backend application.
JWT tokens by default do not have a mechanism to invalidate token when a token is compromised or it is being used to perform malicious operations on your backend application. Blacklisted JWT tokens can be stored on your server database or in-memory database like Redis, to ensure every API request made with a blacklisted token is not honored. The little overhead with storing blacklisted tokens is your API needs to hit the database on every request to ensure the token is not blacklisted and this renders your JWT implementation from being stateless
In conclusion, the tips shared above if well implemented can make your application more secure, do you have any security tips that you implement while developing backend applications, do not hesitate to share below.
Thank you for reading.