Home Search Pricing Get inErrata About

Sign in Sign up

Graph/unprotected-api-entry-points

AntiPattern

Unprotected API Entry Points

unprotected-api-entry-points

APIs become reachable through missing or bypassable controls—auth/CSRF middleware not applied to redirect targets, insecure token handling, and WebSocket/CORS misconfig—so requests can be sent directly or from untrusted origins without enforcement.

Node Details

Public graph metadata

Updated6/28/2026

Connections

30 linked nodes

MATCHESSolution

You can use a global dependency: — FastAPI. Tension: there's no way to set auth tokens in the docs. Outcome: app.openapi = custom_openapi.

MATCHESSolution

I added the below redirect URL to the Web Platform in the Api App registration. Tension: AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption. Outcome: http://localhost:8000/docs.

MATCHESSolution

read access should be done through CloudFront — if you are not directly needing TLS 1.0 or 1.1 for your own application needs. Tension: you are not at further risk of attack from outside entities. Outcome: place other services/protections/permissions in place so that you are not at further risk of attack from outside entities.

MATCHESSolution

My solution was to create a dedicated API route (or endpoint) and move the core logic — when sending the request to the API route. Tension: the session would be lost only on Android. Outcome: I explicitly added the access token like `Authorization: Bearer {access_token}`.

MATCHESSolution

Attach an authentication dependency to only the endpoints that must be protected—either by adding `Depends(...)` (e.g., `HTTPBasic` or the configured AuthX dependency) directly on each protected route or by registering those routes under a separate `APIRouter` with the required auth dependency.

MATCHESSolution

the API keys are stored in an encrypted form — more-annoying techniques (e.g., native code via the NDK). Tension: This too makes it more difficult for an attacker to get the keys. Outcome: but it does not prevent it completely.

MATCHESSolution

requires a valid account, SSL with certificate pinning — to protect your own server API calls. Outcome: This increases the difficulty for an attacker to get the keys.

MATCHESSolution

Choose solutions where the keys reside on your server — your server gets data from the client using your own APIs and forwards it to the third-party service. Tension: To prevent an attacker from getting client-side API keys.

MATCHESSolution

You should not use that value in the app that the users run — such as your development machine, a server that you control, or a serverless environment like Cloud Run/Cloud Functions. Tension: If a value is meant to be a secret from the users of your app. Outcome: make an endpoint on that environment that your app can call, and protect access to the endpoint.

MATCHESSolution

Another possible option, if you cannot achieve SSO in a standard way — safe to pass in URLs since they have a very short lifetime and can only be used once. Tension: These are safe to pass in URLs since they have a very short lifetime and can only be used once. Outcome: This type of solution usually requires you to to customize the login flow for Site B.

MATCHESSolution

Pass the API key as a parameter in the request URL instead of as an HTTP header

MATCHESSolution

a CSP may specified allowed domains and that TLS is needed — your API is on domain1 and I own domain2 where I want to request end points from your server. Tension: If you want my domain to be allowed to request your domain's API from any app, browser or not. Outcome: If you want to allow requests from any source, then you also need to specify CSP accordingly.

MATCHESSolution

you can setup basic CORS policies — If you have control over the endpoint providing jwt token. Tension: so that only your app will be whitlested and accessible to the endpoints. Outcome: Here is the sample example for CORS settings.

MATCHESSolution

Use Laravel Sanctum personal access tokens and CSRF tokens to authenticate API requests

MATCHESSolution

Perform the authorization-code-to-token exchange in the backend to keep tokens and the client secret off the client. Create/establish an app-specific user session (e.g., HTTP session cookies or tokens) and do not use the external provider access token directly for your backend authorization; generate/validate authorization specific to your APIs.

MATCHESSolution

You should also look into CORS (Cross-Origin Resource Sharing) and related security headers — requests made to the fastapi app can only be made by my co-workers. Outcome: Defending against this requires authentication of the requests to the API.

MATCHESSolution

send token in headers — Then try using protected endpoint. Tension: Swagger will not store your token and attach it to every request.

MATCHESSolution

As a default and mainstream solution I would use a BFF that issues short lived access tokens in HTTP only cookies — When a browser tab is closed, it must not be possible for its API credential to be abused by malicious sites. Tension: These should also use the `SameSite=strict` property, for the best protection against cookie misuse via cross site request forgery. Outcome: These should also use the `SameSite=strict` property.

MATCHESSolution

The most correct OAuth way to design this is to use scopes and claims. — access tokens and the user identity to flow between microservices. Tension: without security concerns. Outcome: The APIs also check for required scopes.

MATCHESSolution

Your API should also be designed according to the Open Design principle — Your API should also be designed according to the Open Design principle. Tension: the API has to be secure without making access to it secretive. Outcome: which means that the API has to be secure without making access to it secretive.

MATCHESSolution

Mitigate by rate-limiting and/or blacklisting the offending IP (with awareness of proxy/tor evasion), optionally filtering/blocking suspicious payload patterns (largely ineffective if payloads vary), and/or requiring authentication for the resource and blocking offending users. For stronger protection, add detection and a challenge like CAPTCHA or place the app behind a service such as Cloudflare to handle security responses.

MATCHESSolution

this piece of code was still executed — if I was hitting a URL affected by "permitAll()". Tension: permitAll() doesn't require the request to be authenticated but still hits the "doFilterInternal" code. Outcome: Found the problem.

MATCHESSolution

APIs are only private when they only serve requests from inside a private network — If yes. Tension: From the moment that an API is accessed via the internet it's a public API. Outcome: only serve requests from inside a private network.

MATCHESSolution

protecting the individual endpoints properly. Tension: data from the frontend can and shouldn't be trusted from a security perspective. Outcome: you're already taking the proper countermeasures.

MATCHESSolution

Do not call the OpenAI API directly from the mobile app; instead route requests through your own backend/cloud function that holds the API key. Optionally add additional request authorization/throttling and signing/encryption on top between the app and your backend so the OpenAI key never reaches the client.

MATCHESSolution

you should consider using community-driven packages built for this kind of thing — Typically, any attempt at solving XSS attacks yourself should be avoided. Tension: they will find these pseudo-protocol calls. Outcome: as they will find these pseudo-protocol calls and santize/strip them for you.

MATCHESSolution

Configure Spring Security to ignore (bypass) the swagger-ui and api-docs endpoints by adding matching paths (e.g., /swagger-ui/** and /v3/api-docs/**, plus /swagger-ui.html) via a WebSecurityCustomizer (or equivalent permitAll configuration) so the documentation endpoints are accessible.

MATCHESSolution

Wget before 1.21.1 forwards HTTP Authorization headers to different origins when following cross-origin redirects. — when following cross-origin redirects. Tension: This is a critical information-leak vulnerability that affects users who authenticate to legitimate websites and are then redirected to attacker-controlled servers.

MATCHESSolution

The vulnerability requires sanitizing URLs before storing them in extended attributes — extended file attributes (xattr) using the --xattr option. Tension: URLs frequently contain sensitive data such as API keys, authentication tokens, session IDs, OAuth credentials, or authentication credentials.

MATCHESSolution

Implemented Content-Security-Policy, X-Frame-Options, CSRF tokens, and rate limiting middleware — for Tor hidden services. Outcome: Implemented Content-Security-Policy, X-Frame-Options, CSRF tokens, and rate limiting middleware for Tor hidden services.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Unprotected API Entry Points - inErrata Knowledge Graph | Inerrata