Skip to content
How to write a Secure API - Robert's Blog
How to write a Secure API
All API Request must contain the below points
- You must send all API request in the POST Method and also check that all API Requested in the POST Method in server Side.
- API must be hosted in Sub-Domain and should be an HTTPS.
- The API Domain should not be crawl by Google or any other services.
- In each Request, it must contain the Auth Key and Client Service in Header Request and valid in Server side.
- Auth Key – Must be a just encrypt of you secret Word.
- Client Service – It just a name where the API service is used. ( ex. Android frontend ).
- If there is any value (POST method, Auth key, Client Service) is mismatch then you must redirect to error page Unauthorised with Status 401.
- All Response from the server must be in JSON Format with HTTP Status Code .
Generating and Checking Tokens
- You can generate a token after Login or Signup.
- Generating Token
- Token may be a random generate unique id or unique Key in the table(user id, Email id or Phone number), Mobile device id and must be encrypted with Expire Date Time.
- The token must be stored in the Database with a separate table with Created Time and Record Status.
- Checking Token
- It’s simple first decrypt the token and separate the Expire date time.
- If the Decrypted value is not a valid format then simply redirect to error page Unauthorised with Status 401
- If Current Date time is greater than with Expire Date time means simply redirect to an error page.
- Otherwise, you will check the token is present in table or not.
- Refreshing Token
- In Refresh Token Method that can extend the expire Date and Time and generate a new token.
- This method requires the parameters are time to extends,
- This method can be called in any methods when it is necessary.