Questions tagged [api]
Application Programming Interface; a set of routines, protocols, tools or endpoints used in software development.
546 questions
0votes
0answers
19views
Issues consuming HTTP FastAPI from HTTPS-embedded widget (frontend fetch)
How can I make a frontend widget on HTTPS communicate with an HTTP FastAPI backend without CORS or mixed content issues? I'm building a chatbot widget that's embedded into a website served over HTTPS. ...
-2votes
0answers
63views
Why is open banking called open banking [closed]
Recently, I have become interested in open banking. Since I was concerned about security concerns about how safe open banking is, I decided to post this here. I have also been a developer and am ...
0votes
1answer
51views
When not to use Authorization Code Grant?
Why would an OAuth implementation choose to use the Authorization Code Grant -- when it means that the access tokens are leaked to a third party? I've been using API keys for a package on my server to ...
- 1,146
0votes
0answers
71views
How to assess poor OAuth security implementations?
What questions should I ask to determine if a given OAuth implementation is secure? I've been using a wordpress plugin for payments that authenticates with the payment gateway with an API key. I like ...
- 1,146
-1votes
0answers
44views
Gaining visibility on APIs used in an organisation
One can't secure what they don't have visibility on. Over the years, we've had hundreds of new APIs developed but there is no central place to look at all the endpoints. I am trying to gain visibility ...
0votes
2answers
144views
Is there a way to limit web server access by domain?
Currently, there is no way to use the OpenAI API (ChatGPT) from the frontend without exposing your secret key. I wonder if there is a way to solve this. My thinking is: I would create a web server ...
2votes
0answers
50views
Can SELinux restrict who can call a specific TEE UUID
I'm investigating how to control access to an API a TEE application presents. I believe I can use SELinux to control which kernel modules can access the client TEE library, but I need finer-grain ...
- 141
2votes
1answer
68views
Risks associated with client writes to queue
For higher API request volumes, some APIs will offer some form of batch API requests (e.g. 1, 2). These allow for one HTTP(S) call to send many effective requests, freeing up network resources and ...
- 173
0votes
1answer
84views
What is the purpose of Yubico API client ID?
Yubico PAM module requires one to specify the id(API client ID) parameter obtained from Yubico API key signup page. For example: auth sufficient pam_yubico.so id=1234 authfile=/etc/yubikey_mappings ...
- 441
1vote
1answer
140views
Web Server API returns Hacked webpage when Unity Project makes API call
We currently have a linux/apache/sql webserver that has API access for our app in the meta store(Quest 2 & 3). when manually type in the address on chrome (desktop computer) I get the proper API ...
- 11
8votes
1answer
4kviews
How can I block localhost access from other computers on the same local network?
I have an offline app that serves a localhost server while it is running. Other computers on the same local network can access this server through 192.168.x.xxx . I want to block them from accessing ...
- 243
0votes
1answer
128views
Is there an automated way to generate a valid API request from Swagger docs?
I am doing a pentest which includes an API and all I have access to is Swagger UI docs. The Swagger docs don't show me real-world data in the examples, nor do they offer a "try request" ...
- 1,347
1vote
1answer
119views
ReDOS - Vulnerability found, but DOS not possible
I have an API which is protected by AWS Cloudfront. I found a ReDos in one of my API Endpoints. The endpoint looks like this: https://mywebsite.com/api/myendpoint?apikey=xxxx&namefilter=yyyy The ...
0votes
0answers
42views
can non-rotatable secrets be stored in ciphertext form in a DB/file/etc.?
We have a service running on AWS. This service uses secrets such as API keys of third party services (in other words: secrets which do not rotate automatically). These secrets are stored in AWS ...
- 101
0votes
1answer
357views
Using mTLS for API access control and authentication
my question is about using mTLS for API access control and authentication. I understand in mTLS, both the server and client (making the API request) will verify each other's identity. This allows the ...
