Is encrypting your request payload worth it? I am ...
# randome
eager-plastic-76453
11/08/2022, 6:54 PMIs encrypting your request payload worth it? I am seeing mixed reviews. Would like your thoughts before sinking time into this.
g
glamorous-mouse-696
11/08/2022, 7:34 PMWhat angle are you trying to protect against?
Anything you execute in clientside can be accessed by someone motivated enough. All you can do is raise the bar, so someone just inspecting network requests can't see what's happening.
ā 9
q
quaint-elephant-2032
11/09/2022, 4:07 AMWhat angle are you trying to protect against?This is such a great q and advice. I read a comment on HN the other day, which emphasized this: what attack vector are you trying to protect against? Ah, found the comment after some search: https://news.ycombinator.com/item?id=33520309. Do read the surrounding comments for more context.
e
eager-plastic-76453
11/09/2022, 4:14 AM@glamorous-mouse-696 Disclaimer: frontend noob here. We're sending a payload with order information and a friend suggested I encrypt this data, but half the internet is against the idea because, like you had mentioned, it's not very hard to decrypt. So I'm confused if this is even worth it.
g
glamorous-mouse-696
11/09/2022, 4:39 AMHonestly, too little context into your particular scenario here. But as a general rule of thumb, I'd stay away from encrypting REST payload unless you have a solid use-case for it.
Adding encryption will make your frontend and backend code more harder to maintain (unless you have middlewares in client and server encrypting & decrypting transparently). There is also the added concern of how key sharing would work, will they be rotated, etc.
Also, if you're going through, don't roll your own encryption.
PS: All HTTPS comms are already encrypted using TLS anyway.
ā 3
c
colossal-lawyer-41920
11/09/2022, 5:07 AMA big no for for encryption. See the cons here
ā¢ Extra added layer for backend and front end which makes maintenance painful.
ā¢ It will bite you back when your product scales.
colossal-lawyer-41920
11/09/2022, 5:11 AMAs for the protection of the payload, think about how can you maintain integrity of the data if your data in transit or data exposed from the APIs gets hacked. That way you can figure out on what actions to be taken.
For e.g. Your order details information is stolen. Now think about what attacker can do with this info. Given that user id and order id (just e.g. data points) is exposed, Does any one of your APIs exposes more info with these 2 data points as info? If yes can you restrict the access to specific user by building strong authorization mechanism around it? Access control maybe? In this way you will get an idea about security and will bring up confidence in the product that you are building
šÆ 4
e
eager-plastic-76453
11/20/2022, 12:58 PMThank you Kiran.
š 1
2 Views