Where to store the API token, user / pass, etc.
So I have a web page. This web page accesses the API, be it with basic auth, oAuth, Digest, whatever. I have to send some authentication to the API endpoint to another service. Imagine this is the Facebook OpenGraph API.
Facebook provided me with credentials to use its API. Where can I store these credentials to protect against external attacks? I've always just put them in my server side code as the API documentation tells you. Is it safe enough? I am not worried about internal violence, I am worried about external attacks.
Where can I put my web application authentication credentials that it will use to access other services where they will be protected from outside attacks?
source to share
Great question seeing that mashups using several other services are becoming more popular. But unfortunately, you really cannot use such powers in a practical place where they are perfectly safe from outside attacks. Here are some options:
- Store them in source code. An attacker could gain access to the source code through misconfiguration of the server, which is a flaw in the server software. Or it can access the file system on the server or intercept the network traffic between the server and Facebook.
- Store them in a database external to the server. But where do you store the credentials for the database so your code can access it? You just moved the problem to a different set of credentials, and if the database is accessible outside of the local network, you actually increased the attack surface.
- Store them in a file on the server. Now an attacker will have to gain access to the file system or intercept network traffic. Thus, it is more secure than the previous ones.
source to share
If you are worried about external attacks and are safe, you should not store credentials in your application. Save the credentials on the server. Your application should prompt the user for credentials when they need to authenticate.
After authentication, if you want to preserve the user's login state, set either session cookies that expire when the browser session ends, or persistent cookies that do not expire.
source to share