API security question

API security question
0

#1

Hi guys

This is probably a stupid question, but I was just wondering, say you are using a free-to-use API code in a project and someone obtains that API code, what would be your biggest concern? would they, for example, be able to somehow obtain your credit card details if you made a payment on a totally different website, like say you recently bought a game on steam and your steam account is set up with the same email that you used to get the free API code?

I hope my question makes sense!
Thank you


#2

I think the big concern is that they could use your access to that API. Let’s say you get an API key to a server that let’s you get stock quotes. They limit your site to 10k calls a day. That works fine for your client. But you encode the key on the front end, so anyone can get it. Soon they overload your key with calls to the server. Maybe you even get charged extra.

The usual way around this is to put the key on the back end and call your HTTP API that checks your credentials, makes sure the user is authorized, and then the back end calls the stock site for you and returns the data over HTTP.

This will all make more sense after you finish the back end stuff. If you’re worried about showing your key on the front end challenges, there isn’t really any way around it. And I wouldn’t worry about it. Just use keys to APIs that are free.


#3

It depends on a lot of factors, if you believe it’s been compromised, revoke the API Key, I’d say in some circumstances it would be useful in a social engineering attack.


#4

Some API keys give people the ability to act as you on different platforms.

For example, I have a Twitter bot that uses API keys linked to my Twitter account.

If those keys were made public, anyone could post as me on Twitter and cause me all sorts of trouble.

People have been fired for the contents of their Twitter feed.

You should treat all API keys from a service the way you would treat your password for that service.


#5

Thank you, so it would be fine if I buy stuff online? people won’t be able to obtain my credit card details or something like that? if it is a free API?


#6

thank you for your answer. So they would only be able to access my social media accounts? they won’t be able to obtain any personal information like credit card details used for online shopping or buying games on steam etc?


#7

Thanks for the advice!


#8

I’m not sure I understand. If I get an API key to stock quote API, I can’t imagine how they would use that to get my credit card details to go make purchases on Amazon. The worst case is that they could use that stock quote API with my API key, using up my limited service. Even if I used my credit card to secure or pay for the API key, in order to get access to my account details I still need to use my username and password. The API key is only to access the API, not to access the account. I’ve never seen it set up where you access your account details with the API key. Even if you could, the credit card details are usually masked.

And if the API key is free? Then there is no problem because that account and API key are in no way linked to your credit card details. It poses no more risk than if you lost your library card.

If you’re doing the front end projects, just look for ones with no API key (like the weather API that FCC built) or ones with free keys. Without a backend, there is no way to hide the API key.

When you start building professional sites, you’ll need to hide those keys in the back end, in a .env file that stays hidden. But don’t worry, you’ll get a chance to do that when you do that backend challenge.

But unless you’re going to build a server, there’s not much you can do. Don’t worry about it for the front end section. Just remind yourself that it’s a little sketchy and that you’ll learn the proper way to handle it later.


#9

I think I’ve watched to many many movies… thank you so much for your answer, it cleared up all my questions


#10

If you’ve followed standard security practices your source code being public won’t be an issue, what will be an issue is if API Keys leak. Personally I think all websites should be open source so the public can immediately audit and fix any security issues and/or bugs but we don’t live in a perfect world so uh yeah :frowning: