ContextQMD
Back to Developer Roadmap

Api Security

src/data/question-groups/full-stack/content/api-security.md

4.01.1 KB
Original Source

Rather than overlapping each other, authorization and authentication reference two very distinct stages of security within your app.

Authentication

On one side, we have authentication, in charge of verifying the user identity. You can use tokens (e.g., JWT, OAuth) or sessions for this.

Example: Validate a JWT sent in headers:

javascript
const token = req.headers['authorization'];
jwt.verify(token, secretKey, (err, decoded) => { ... });
Authorization

Once authenticated, users need to be authorized to access the resources. For this to work, you’ll need to define roles and permissions for your users.

Middleware example:

javascript
app.use((req, res, next) => {
  if (req.user.role !== 'admin') return res.status(403).send('Forbidden');
  next();
});
Best Practices
  • Use HTTPS to ensure a secure channel between the browser and the server.
  • Validate input to prevent injection attacks.
  • Rate-limit API requests to avoid having your APIs overwhelmed by potential attackers.
  • Store sensitive data securely (e.g., hashed passwords).