Hello Wapplers,
I have several API calls which can be called outside of a web server with some scripts/Postman/etc.
Question is: How can I apply some security/restrictions for such API calls?
Idea is to use some password/passphrase in scripts as a security.
See this thread
Looks like in your example you’re trying to communicate securely between two Wappler sites. But I want to secure API calls calling from scripts.
You can go with an API key that has to be passed in the header and/or a Security Restrict if you only want them to be ran by logged in users or users with certain permissions.
You just need to implement the logic you are happy with in the Server Connect.
The approach is more a generic security question regarding APIs. You can google some articles about it and just apply them in Wappler. I believe Wappler can handle all the recommended strategies.
Tip: build the logic in a library action and add it at the beginning of the APIs you want to secure. It will be easier to maintain.
Thank you!
That’s exactly I was thinking of, but wanted some “proves” from Wappler “veterans”.
@JonL May I ask additional question regarding this topic: So I’ve created validation step before my SQL query which compares $_SERVER.HTTP_AUTHORIZATION with entries in my DB.
Is it a good way to implement “some level of API security”?
You need to send a server response if it’s not present or unauthorized so I would check the authorization header against the table via a conditional. If present do your stuff, else send 401 response.
Thank you so much!
In the end my API action looks like this:
