locked
Website to Connect to External API RRS feed

  • Question

  • User-1408159057 posted

    We have a website where we are creating a Help Desk ticket portal.  We would like to connect this site to our Auto Task API.

    I am confused as to where to place the code for the connection into our website's structure in order to ensure it is secure.

    What is the best practice to utilize a form to send data to an API in a call while limiting the users access to the code?

    Thanks

    Jason

    Wednesday, June 24, 2020 3:08 PM

All replies

  • User475983607 posted

    How does your Web Site and Web API security work?

    What is the best practice to utilize a form to send data to an API in a call while limiting the users access to the code?

    If we assume the Web Site is secured by a login, then you would write code or add configuration that only allows user's with the appropriate privileges to access the form.

    Wednesday, June 24, 2020 3:49 PM
  • User-1408159057 posted

    The site is an intranet site.  It has a database of users with permissions and we store session data in a table.

    The API uses SOAP.  I am concerned that if I add credentials and access to the external API from our site, users may be able to access to connection information.

    How do I know the SOAP authorization code and execution of calls is limited to our designated form or method?

    Thanks,

    Jason

    Wednesday, June 24, 2020 9:12 PM
  • User475983607 posted

    How do I know the SOAP authorization code and execution of calls is limited to our designated form or method?

    You are asking this question as if your application and security model is common knowledge.  Perhaps someone on your team that can help you?

    Wednesday, June 24, 2020 10:09 PM
  • User-1408159057 posted

    Not really. My manager has some experience with this particular API, but I am more concerned with best practice. Could you please suggest a link that would get me in the right direction of beginning my understanding of protecting my API code in my internal site?  I was searching "Securely access an external API from your website" but I could not locate something that fit the answer I am looking for.  As I proof read my response I am seeing that I can search for Protecting Code in your Web App.

    I will start there but any suggestion of material from someone with more knowledge would be greatly appreciated.

    Jason

    Thursday, June 25, 2020 12:15 PM
  • User-474980206 posted

    you don't secure the external api (that's their job). you secure your site. your site (even if only web pages) becomes an open api. the code that calls the external api, should verify the user is allowed to make the call, and the data passed is allowed to sent by the user.

     if your site is given admin access to the second site, rather than passing the user, then you need more verification of the requests.

    Thursday, June 25, 2020 8:03 PM