1
0
-1
1 answer
- 210
Hi Nas,
I suppose that you can make use of
Enable API for Internal Use?
>> Navigate to APP composer > API Builder > Settings
>>>>Settings > All properties > Advanced Settings
-------You can see theEnable API for Internal Use?
That way , the API that is displayed can't be called externally.
It can be used for internal Purpose only.
Hence, making the api_id and api_key exposed inside the console unusable by external party.
May this help you in resolving your concern.
Thanks!- NAS
Hi John Smith ,
Thanks for the suggestions. Based on your response, I suppose using the Enable API for Internal Use feature would resolve the concern of the stated security issue. I have checked the documentation accessible at https://dev.joget.org/community/x/BgITAw , a snapshot is shown as below.
However, I have some concerns that require clarification after enabling this feature. As the API key and API id would still be exposed, and moreover, can be seen in the console, is there any way to test the API externally to ensure the API is unusable as expected? Kindly advice.
Thanks.
- NAS
Following up to the previous comment, I have tested the API through Postman, and yes, the API is not usable externally, as expected.
Add your comment...
Hi. When viewing a specific form, I have custom button such that the button is expected to delete the record of the related viewed form through API in API Builder. However, this approach requires us to expose the values of the API Key and API id to the user when the page has been rendered, which then would cause security issues.
What is the appropriate approach to have the delete operation of a specific viewed form with the correct and secured implementation of the API? Kindly advice. Thanks.