Enhancing API Security: Hiding Routes and Encoding Keys – Possible Solutions Needed

Hello,

I recently conducted some tests in Chrome’s inspector and noticed that the API collection connected to weweb displays all the values returned by the API, including the route.

Although this feature may seem standard and mundane for front-end development, I fear that it’s not secure enough. In fact, I sometimes try to exploit flaws in APIs by examining key names for reverse engineering. This approach has even allowed me to uncover data providers from my competitors, among other things.

However, I have occasionally noticed that the API routes are not visible on certain sites or applications, even if the JSON result data is.

My first suggestion would be to determine if it’s possible to implement a technical solution so that the API route is not visible in the inspector.

My second suggestion, aimed at enhancing security and preventing reverse engineering, would be to encode the value keys. So instead of a presentation like this:

{
“user_id”: 2,
“entreprise_id”: 2,
“cache_bdd_id”: 0
}

We would have something like this:

{
“sMwCwrEb”: 2,
“yHhKOEGE”: 2,
“MdjdbVcS”: 0
}

While keeping in mind that a link should exist through the weweb editor to recognize that “user_id” corresponds to “sMwCwrEb,” etc.

Thanks

Here is the snapshot of the API response

Capture d’écran 2023-08-03 à 19.23.251710×1342 296 KB

and the api route

Capture d’écran 2023-08-03 à 19.18.211710×1218 382 KB

Hi, I’m not sure to understand.

There is no way to hide your api request from the inspector. On which website was you able to see the json result but not the api request ? How did you see the json result if you was not able to click on the api request on the list ?

Your web app is directly connected to your backend. So if you want to obstruct your data by renaming your keys you have to do it in your backend. Its your backend which is sending this JSON.

It mean even if we manipulated the data we will be able to do it only inside the browser, once the data has been received, so it would be useless.

But I understand your concern. This is why its extremely important to secure your data through Xano. You have to ensure every endpoint return the minimal amount of data required and only people which need these data can access them.