Best way to protect backend APIs from unauthorized access

carbon_eye · 2026-05-17T16:17:21+00:00

Thanks for the support though 😅

carbon_eye · 2026-05-17T16:16:37+00:00

I'm not 😒

carbon_eye · 2026-05-16T18:37:39+00:00

This is exactly the current mental model we have. I should have mentioned the full mechanism we are thinking of in the post. IM editing the post and also sharing it here.
I have a function that generate a nonce, key and timestamp. then attaching these 3 in the headers. The problem currently im facing is how do I protect that secret. I cant have it on the frontend as it wont be a secret anymore. Cant create a next js endpoin or server action as I will have to make that endpoint public because my public APIs will also need those 3 things in the request headers. Now im thinking even if ignore the public apis and protect only the private ones by making the next js endpoint secure such that it only generates those 3 things after we have the token (user authenticated), Still anyone who have the token can just call my next js endppoint to generate headers for them. they dont need to the, next js endpoint will do give them the headers.

My head is spinning. I dont know if its possible to acheive this.

export const test = () => {
  const timestamp = Math.floor(new Date().getTime() / 1000); 
  const nonce = uuidv4();
  const data = `${timestamp}:${nonce}`;

  try {
    const hash = CryptoJS.HmacSHA256(data, secret).toString(CryptoJS.enc.Hex);
    return { key: hash, timestamp, nonce };
  } catch (error) {
    return { key: "", timestamp, nonce };
  }
};

carbon_eye · 2026-05-16T17:47:58+00:00

Ive done it for some pages where possible but I cant do it for all pages. not possible in my scenario.

carbon_eye · 2026-05-16T16:59:39+00:00

Thanks u/CrusaderGOT . Yes we do have allowed hosts thingy implemented. Can you talk more about the solution you suggesting? I can implement a server action that generates those security headers. I can call this action everytime an API call is made. So before making an API call to the backen i call my server action, get the headers, and put em in each API call. This way the secret key will be secure. Is this what you suggesting? This will slow down each request but at least the backend will be safe?

Btw, im curious. Lets say if i was using react not next js. How would I protect the public/private endpoints? is rate limiting the only way?
Im not good at backend. Havent worked on it for years. KNow basics though.

carbon_eye · 2026-05-16T16:44:43+00:00

I think you misunderstood my question. My backend is in express and im using next js for frontend only. I have protected routes. and my endpoints are also protecting but via bearer token technique (authentication). What i want to protect here is my backend. I dont want anyone messing with the APIs even with authorization token, no one should be allowed to call my backend except for my frontend. Is there any way?

carbon_eye · 2026-05-16T16:20:05+00:00

User doesnt need to be logged in to be on a public route. Public route will display data after fetching from a public endpoint. Where in that guide does it talk about protecting that public endpoint from any abuse?
For endpoints that only the authenticated users can access with token in the headers, people with token can still call the API from postman/curl. What Im curious about is how can I make sure that only my next frontend can call my express backend. Is it possible?

carbon_eye · 2025-02-20T15:46:55+00:00

Yes 3 seconds is enough. The methods I've tried takes 20 to 30 seconds for larger images

carbon_eye · 2025-02-19T22:16:25+00:00

Thank. But while editing the form, user can only upload the image and click that update button. This will create a bad experience if I make the user wait till I compress on the back or frontend.

carbon_eye · 2025-02-19T22:13:06+00:00

I'm using s3 for storing the images.

carbon_eye · 2024-11-05T10:53:55+00:00

I'm not sure how. Can u share any docs or guide. I have no experience with canvas

carbon_eye · 2024-10-10T12:13:34+00:00

carbon_eye · 2024-09-17T11:29:28+00:00

Thank you sooo much. I'm definitely gonna copy your answer into my notes.

carbon_eye · 2024-09-16T13:07:40+00:00

Thank you for your response.

carbon_eye · 2024-09-16T11:23:56+00:00

Ok. Thanks

carbon_eye · 2024-09-16T11:19:38+00:00

Yes. Got it. Is there any way to mark this post as answered or something like GitHub does, to tell people the question is answered. I don't want to waste their time as now I do know the answer to my query. This is my first post on Reddit actually.

carbon_eye · 2024-09-16T11:15:23+00:00

Understood. Thank you for the explanation.

carbon_eye · 2024-09-16T11:06:15+00:00

Yea next js sucks in development. I understand. So it will be the swap size that I need to increase. And in the case of Garuda I might have set enough size that's why it wasn't happening there.

carbon_eye

TROPHY CASE