

Ask HN: How do I secure my REST API? - lamina

I&#x27;ve recently built a REST consuming web-app with a user account system. While I&#x27;m choosing not to store sensitive data such as passwords (using Google&#x2F;Facebook), I&#x27;d prefer to prevent just anybody from accessing the REST endpoints. What are some good ways of doing this? The app is using the MEAN stack.<p>Also, security is REALLY not my forte, and this side-project isn&#x27;t monumental or anything, so I&#x27;m willing to sacrifice some security for brevity and ease-of-use.
======
arisAlexis
Usually you put a filter mechanism so some endpoints are restricted. This
checks for a valid token sent by the client (by sending it back to facebook).
If you find this procedure slow you can also use good old sessions (although
some people consider this stateful and thus not appropriate (I am not in this
camp).

------
phantom_oracle
If your API is meant for other developers to build-upon, you use public-keys
and registration, just like how you registered to use Google/Facebook login.

You should also sanity-check your GET/POST requests, to make sure they contain
ONLY what is allowed.

There are many other things you can do, but I can't think of them right now.

