What are the things that need to be considered while deleting a resource through api

60 views Asked by At

Consider a simple resource like products of web application. If someone gets hold of access token and the resource id they can easily delete a resource. How can we protect such attacks.

1

There are 1 answers

0
mbakereth On

For regular users, you shouldn’t grant delete privileges on tables such as products. This should be restricted to admin users.

If your admin account needs to delete products over an API then yes if an access token is disclosed then your products are vulnerable to deletion. Best defences are

  • Keep access tokens secure by only sending them over HTTPS
  • Don’t allow deletion in GET requests
  • Use a CSRF token
  • Check the IP address and/or user agent match the values when the token was created
  • Make short expiry times for access tokens.

Have a look at OAuth2 access tokens.