The API Churn/Security Trade-Off (2016)

(intercoolerjs.org)
28 points aaossa | 8 comments | 14 Apr 25 08:25 UTC | HN request time: 0.867s | source | bottom
1. recursivedoubts ◴[16 Apr 25 18:39 UTC] No.43708873[source]
Aaaayyyy yooo, i wrote this a long time ago, but I think it holds up!

TLDR: there is a trade off in how much expressive power you can surface to front-end developers when their logic is written in-browser because anything you give to them, you give to anyone who can open up a console. That makes things a lot more dangerous and is in contrast w/ the back end, where you can give developers access to a full SQL implementation.

replies(1): >>43708963 #
2. Etheryte ◴[16 Apr 25 18:47 UTC] No.43708963[source]
At the end of the day, it's still only shuffling around where you define your constraints, because you need them either way. Whether you define a rigid API endpoint for the frontend (named the problem in the article) and handle access control there, or make the API fluid with e.g. GraphQL (the first solution in the article) and define access controls there, it's still the same problem.
replies(1): >>43709110 #
3. recursivedoubts ◴[16 Apr 25 19:01 UTC] No.43709110{3}[source]
I don't agree with that.

You can give a back end developer SQL, because the users of your application don't also get SQL. Not true of GraphQL.

4. gz5 ◴[16 Apr 25 19:13 UTC] No.43709230[source]
We need to be careful on how and where we define our constraints regardless, but we can mitigate against this to some degree for some APIs:

>The problem with these increasingly expressive end points is that you are putting them not just in the hands of your front end developers, but also in the hands of potentially hostile users.

Meaning, let's not expose to 'hostile users' if we can help it.

For example, put the API gateway solely on a private overlay, and gate entrance to that overlay to endpoints with enrolled private key signed certs (+ other factors if you wish).

Puts more burden on the API clients - e.g. PKI enrollment, management, etc. would need to be reliable, automated and abstracted.

So infeasible or too much friction for some APIs, but this would reduce the attack surface for a B2B API with a limited number of consumers...and many of those would take that tradeoff?

Of course, we still wouldn't 'trust' the private network overlay in our API definitions...it would just be one more layer of security if access is gated with modern cryptography.

replies(1): >>43712321 #
5. librasteve ◴[16 Apr 25 19:42 UTC] No.43709531[source]
intercooler.js is the forerunner of htmx.org - by the same author
6. yawaramin ◴[17 Apr 25 01:55 UTC] No.43712321[source]
We know about mTLS. Nobody does it because it's just too painful.
replies(1): >>43719367 #
7. JackSlateur ◴[17 Apr 25 16:49 UTC] No.43719367{3}[source]
We do that at scale

Too painful ? It is just regular TLS