My server send some data to the mobile app
The user does some operations with those data and sends other objects back to the server, which contains the data that the server first sent (PS: of course those objects are created by the mobile app through user interaction)
Before the server persist mobile's data, should I validate if the server data inside it is consistent? Because if it's not, it will cause a exception.
But if you know it will cause a exception, why don't you avoid it?
Because I'm relying on:
Mobile app to be working 100% and send consistent data
Authentication between requests so it's not forged
Extra overhead checking something that normally would be OK, unless someone hacks it
Yes, you should validate and sanitize all inputs on the server side. Authentication doesn't help with integrity. If I am an attacker, I can make HTTP requests using CURL bypassing any security control you may have in your app.
Related
I am wonder which way would be better to write chat application.
First idea to send message with HTTP request, save in the database, and resend message to recipient using sockets.
Second idea is to do it using only sockets.
I wonder, because I have access and refresh token authentication system with HTTP request, and I think that this way would be safer..
Either way works. Most people use sockets, but you can have a database to save logs and the such. Token authentication is usually done before entering the chat application, but it's up to whatever design you want. If you have no need for logs, just use normal sockets.
context
I'm building a project to better understand login/security, and SSL is really tripping me up.
So far I have a front end (vue.js), an API (node/express), and a DB (postgreSQL).
This is the general auth flow:
When a user logs in they send an email and password (via Axios) to the API.
The API queries the database for a matching username and then using bcrypt.compare it checks the password that is hashed in the database.
If this is successful, the API signs a JWT and sends it to the client.
The client then saves the JWT in local storage and is used for future queries.
question(s)
So far I think that all of the above is the best practice EXCEPT for the first step. From the reading, I've done so far the client needs SSL to securely send a password to the API. Is this the case? Does my server also need to be SSL or just the client/host?
I'm ultimately going to try to use firebase hosting (which is automatically SSL) for the frontend, and heroku for the API and database. If there are more secure options I'm open to suggestions.
Also, in general, I'm new to all of this security stuff - If I'm missing anything or if something else isn't secure, I would love the advice!
SSL creates a secure connection between two points. In our scenario between the client, and the server. After some initial negotiation, the client encrypts its messages in a way that only the server can decrypt. And the server does the same with its answers, or its own questions. By using SSL between these two end points, nobody but the client and server can read the messages.
This is important, since a message sent between client and server is actually seen by many more machines/processes in between. Dozens of other processes can thus see the message, and if the message is not encrypted that means all those processes can know exactly what's in the message. When the client and server communicate over SSL, the other processes still see the messages, but they can't decrypt them.
To your concrete questions: the client opens a secure connection to the server. Both the client and the server need to support this. If you write a custom server, that means you'll need to ensure it has a SSL certificate. A very common place to get these for free these days is letsencrypt.org.
My app was hosted in xxx.com, which gets data from yyy.com. All API requests were triggered from client side.
Is there a way to intercept its request or response in node?
No, and Yes.
For the requests made by your client, you must have some control of the data sent back to the client in order to intercept it.
Assume a scenario where:
Client -----(request)----->Third Party App Server -------(response)-----> Client
In this case, as the back-end server never had a chance to come into picture, there is no way the server can change the data. Well of course, that is when the server doesn't come into picture.
Instead, if you send the request to the node server itself, which forwards the request to the Third Party App server, you obviously have control of the response receive and thus, you can manipulate both request and response or maybe just log it (whatever is your use case).
Client -----(request)----->NODE_SERVER---->Third Party App Server -------(response)-----> Node_Server ----> Client
What a few developers do to intercept the requests made from the client is that they write some client-side JavaScript code and embed it into the browser (Some sort of authentication).
While this works okay in case of normal requests, a person with malicious intents might just disable your front-end interception code and directly receive a response from the Third Party application.
Thus, if you really need to have access to the requests and response,
YOU MUST FORWARD THE REQUESTS TO AN APP SERVER YOU HAVE CONTROL TO.
P.S. It is not just about nodejs.
I need to implement a server that can handle simultaneous connections from both a client app and a browser that share a common database, however the clients from the browser have different functions from the clients of the app. I would like suggestions if this is the best design implementation. I decided not to have a different server for the client app or from the browser for this same reason as I can foreshadow synchronization issues when retrieving/writing information form the database. Is there a way to somehow attach a string or other information in front of the http connection to be able to tell each apart?
when the connection is made to the server what should be done?
var server = http.createServer(function(request,response)
{
//Code to tell them apart
});
Your client app is the best place to start. Do you have control over the client app? If you can modify it to send a specific header, that may work. Otherwise, another way to do so is to differentiate between User Agents... If the client app will always have a specific UA, treat all requests with that UA as a client app request, and all others as a browser request.
I am looking at ways to implement a safe client-server communication via HTTPService requests in Flex/Air. The server side is implemented in PHP, whereas the client could be running on a desktop (Air) or on a browser (flex).
The simply usecase that I need help to secure is -
Desktop client sends a request to the server and gets a response
How can I ensure at the server side that the request is being sent from a valid client? From what I could research, Flex doesn't allow for manipulation of request headers so I am failing to manipulate them. All request queries can be seen by using any network monitor, so having a unique (yet static) parameter won't really hit what I am trying to achieve.
On the other hand, the server can be mimicked by simply manipulating the hosts file. At the client end, how can I ensure that I am receiving the response from the actual server and not from an alias added to hosts file
My solution is to encrypt and decrypt data on the both sides.
In the Air data you need to send should be encrypted with as3crypto and send to server where PHP whould decrypt it, Look here in the last post for the working code example decrypt a as3crypto encrypted text in PHP, you can do the same in case of server to client communation.
So you need to keep same Key and IV for both server and client sides, To be more secure you can embed them as binary data in the project http://www.ghostwire.com/blog/archives/as3-embedding-binary-xml/, it's wouldn't be easily viewable for AS3 decompilers, but anyway take for the notice that it might be hacked by the advanced guys.