How to write a Secure API - Robert's Blog

How to write a Secure API

By Robby 0 Comment December 4, 2017

All API Request must contain the below points

  • You must send all API request in the POST Method and also check that all API Requested in the POST Method in server Side.
  • API must be hosted in Sub-Domain and should be an HTTPS.
  • The API Domain should not be crawl by Google or any other services.
  • In each Request, it must contain the Auth Key and Client Service in Header Request and valid in Server side.
  • Auth Key – Must be a just encrypt of you secret Word.
  • Client Service – It just a name where the API service is used. ( ex. Android frontend ).
  • If there is any value (POST method, Auth key, Client Service) is mismatch then you must redirect to error page Unauthorised with Status 401. 
  • All Response from the server must be in JSON Format with HTTP Status Code .

Generating and Checking Tokens

  • You can generate a token after Login or Signup.
  • Generating Token
    • Token may be a random generate unique id or unique Key in the table(user id, Email id or Phone number), Mobile device id and must be encrypted with Expire Date Time.
    • The token must be stored in the Database with a separate table with Created Time and Record Status
  • Checking Token
    • It’s simple first decrypt the token and separate the Expire date time.
    • If the Decrypted value is not a valid format then simply redirect to error page Unauthorised with Status 401
    • If Current Date time is greater than with Expire Date time means simply redirect to an error page.
    • Otherwise, you will check the token is present in table or not.
  • Refreshing Token
    • In Refresh Token Method that can extend the expire Date and Time and generate a new token.
    • This method requires the parameters are time to extends,
    • This method can be called in any methods when it is necessary.

Add Comment

Your email address will not be published. Required fields are marked *