I have a .NET Web Api servicing a Cordova based mobile app and web front end written in AngularJS. I have done a ton of research and most sources don't give a great answer or one that's huge overkill for my situation. Security is not a huge concern but I want to employ some amount of basic security to ensure that only my app is making calls to my server.
All users are required to login through Facebook and do not have their own passwords for my app. My thought was, as long as they are auth'd through Facebook and the request is originating from my app, then they are good to go.
The question is, how do I ensure the request is coming from my app? During logon, I issue bearer tokens so that part is fine but what about calls that don't require authorization? The primary issue that comes to mind is submit feedback and survey forms, would hate someone jacking with those records. The best option I've come across seems to be create an encrypted token of the call parameters plus an app_secret, and attach to the request. Issues with that are couldn't someone recreate that? And since the front end is in Javascript they could find the app_secret.
1) How can I secure server to ensure pre-login calls are originating from my app?
Aucun commentaire:
Enregistrer un commentaire