I am new to APIs, and I am building a test one with Flask (ember app on the front end). One big question I have is, how do I secure specific routes so that only the browser that sent the request can get the response? (i.e. by default, not necessarily when there's a "login" event)
For example, I want to make sure that requests on this route:
/cart/kEaPoGwbQ7GiBAgVWLybQDMX (the latter part being the ID)
Can't be accessed by any other browser that happens to try the route with the same ID. I am already obfuscating the cart IDs so they can't be guessed...but there needs to be an additional layer to protect personally identifiable data.
On the other hand, most routes I do want to be accessible by all browsers that request it. Like:
/product/ABC1234
I'm managing state on the front-end app, so I am not using flask's session object. But I am wondering if that might contain a way for me to selectively secure certain routes?
Or...maybe token-based? I see there are solutions for token-based auth, but they are all geared towards user/pass "login"-style authentication. I don't see it being used by default for certain routes...if that's even possible.
What's the best practice?
Aucun commentaire:
Enregistrer un commentaire