Exploring Security Issues with JavaScript Web APIs

This article explores the challenges and solutions of using third-party APIs in web applications while maintaining security. Browsers have a same-origin policy in place to prevent unauthorized data exchange between different domains. However, this policy can sometimes hinder the transfer of data between websites that have different origins. CORS, JSONP, and XHR proxies are three commonly used approaches to bypass this policy while still maintaining security.

CORS, or Cross-Origin Resource Sharing, is a standard that enables requests and responses to bypass their origins by placing information with the HTTP message header. CORS requires the server hosting the resource to include an Access-Control-Allow-Origin header in the HTTP message it sends to the requesting site. This header specifies that the server can access data from the requesting site. CORS is widely used and supports both XMLHttpRequest objects and the Fetch API.

JSONP, or JSON with Padding, is a legacy approach that uses the script element to return JSON data from a server running on a different origin. The data is returned within the script element as the parameter for a callback function, allowing developers to access the data without invoking the same-origin policy. However, JSONP brings executable code into the website, making it vulnerable to malicious attacks. JSONP only works with data in the JSON format, and there is no easy way to determine whether a request has failed and for what reason.

XHR proxies, or XMLHttpRequest proxies, route requests through trusted domains to bypass same-origin policies. This approach requires making requests to a proxy server that can then pass the information onto the web application. The app can use an AJAX request object or Fetch to make the request to the proxy server and include parameters indicating the API that will manage the response. CORS-Anywhere is an example of a proxy server that can manage requests, but developers must set up an account to utilize its features.

Each approach has its advantages and disadvantages, and developers must choose the one that best suits their security needs. CORS is widely used and straightforward, but it does not work with older browsers. JSONP is simple but has security risks and limited data format support. XHR proxies are a more flexible and secure solution, but they require additional configuration and management. In conclusion, developers must carefully evaluate their security requirements before using third-party APIs in their web applications.

EXAMPLES

Here are programming examples for each of the three approaches:

  1. CORS Example:

To enable CORS, the server hosting the resource needs to include an Access-Control-Allow-Origin header in the HTTP response message sent to the requesting site. Here’s an example code snippet that demonstrates how to use CORS with the Fetch API to make a cross-origin request to a server:

fetch('https://example.com/api/data', {
  method: 'GET',
  mode: 'cors',
  headers: {
    'Content-Type': 'application/json'
  },
})
.then(response => response.json())
.then(data => {
  console.log(data);
})
.catch(error => {
  console.log(error);
});

In this example, the fetch function is used to make a GET request to the https://example.com/api/data endpoint. The mode property is set to cors to indicate that a cross-origin request is being made. The server hosting the https://example.com/api/data endpoint needs to include the following header in the response for the request to be successful:

Access-Control-Allow-Origin: *

Or if the request is done from www.domainXYZ.com then if you like to be the only website that can make this API request this should be:

Access-Control-Allow-Origin: www.domainXYZ.com

For doing this in PHP but only for some domains e.g. only for 4 domains see here:

http://leonidassavvides.com/blog/2023/04/24/enable-cors-for-multiple-domains-in-php/#.ZEYT9nZBwuU

  1. JSONP Example:

To use JSONP, you need to create a script element that calls an API running on a server from a different origin. The server returns the requested content in JSON format, which is treated as the parameter for a callback function. Here’s an example code snippet that demonstrates how to use JSONP to make a cross-origin request to the Giphy API:

function getGiphyData(callback) {
  const script = document.createElement('script');
  script.src = `https://api.giphy.com/v1/gifs/random?api_key=YOUR_API_KEY&callback=${callback}`;
  document.head.appendChild(script);
}

function handleGiphyData(data) {
  console.log(data);
}

getGiphyData('handleGiphyData');

In this example, the getGiphyData function creates a script element that calls the Giphy API with an API key and a callback function name. The callback function handleGiphyData is defined to receive the JSON data returned by the API. The getGiphyData function appends the script element to the head element of the document. Finally, the getGiphyData function is called with the callback function name as an argument.

  1. XHR Proxy Example:

To use an XHR proxy, you need to make a request to a trusted proxy server that can handle the cross-origin request on behalf of your app. Here’s an example code snippet that demonstrates how to use an XHR proxy with the XMLHttpRequest object to make a cross-origin request to the GitHub API:

const xhr = new XMLHttpRequest();
xhr.open('GET', 'https://cors-anywhere.herokuapp.com/https://api.github.com/repos/jquery/jquery/commits', true);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onreadystatechange = function() {
  if (this.readyState === 4 && this.status === 200) {
    const data = JSON.parse(this.responseText);
    console.log(data);
  }
};
xhr.send();

In this example, the XMLHttpRequest object is used to make a GET request to the GitHub API through the https://cors-anywhere.herokuapp.com proxy server. The setRequestHeader method is used to set the Content-Type header to application/json. The onreadystatechange event is used to handle the response from the server. If the response has a status code of 200 and a ready state of 4, the JSON.parse method is used to parse the JSON data returned by the server. Finally, the parsed data is logged into the console.

Leaflet: Security of your Possessions while you are traveling

When you plan to travel abroad you must take actions, “Before you go” as well as “During your stay” and also “On your return”.

Here are the most important actions you must take care of:

A) Before you go

 

Money & ID matters

Make two photocopies of your Passport, ID card, Drivers License, Credit Cards, and Airline or Sea Tickets. Also note your Laptop and Mobile phone S/Ns etc id numbers and characteristics so can identified in case found after lost. Keep one copy in your home and the other in your suitcase not near your valuables.

Do NOT take with you, all your credit cards, Social security card but only the necessary ones. Do not keep all cards or valuables in one place but in two places.

Better take with you an old mobile phone or old laptop without important data on them like passwords, you may just want to access with this laptop your bank account over the internet, but only in secure places like your hotel, but not in internet cafes.

After contact your Bank saying you plan to travel in the particular country for any advice tips has and can give. Ask in case of lost or theft of money possessions like cards or cash how to cancel and how to replace them anywhere in the places you plan to travel taking all possibilities. Learn phone numbers or web sites you can disable cards in case of lost or order new ones along with cash. Keep these along photocopies above and on your mobile phone. Also keep emergency numbers in the visited country like Hospital, Police, Fire, Hotel, Taxis, and your embassy of course.

Country profile

First read country profile, and learn about laws & customs, criminality, maps, transport routes, internet criminality, and recent news. All can found online.

General

Also it is good if, in a country where English is spoken in a small scale, to learn some local language words/phrases and bring with you a Language-to-Language Dialogs pocket-book, this could be used anywhere in your trip.

Laptop & Mobile Phone (wifi/3G/Roaming)

Find out on your trip places and stays where could you have safe internet connection (May for internet banking) and also arrange with your cellular and internet provider in your home country, roaming costs and plans for the visited country. You may consider buying a Roaming Data plan for your internet connections, for one month from your cellular provider.

Notify some family members or some friends only of your trip, and say for example if not on the phone every 2-3 days something happened.

 

 

B) During your stay

Hotel

While you are going out of your hotel get with you 2 credit cards and some cash only, rest leave the in hotel safe along with all other ID materials. Keep the pre-referred photocopies in your suitcase.

Lock always the hotel room.

Transportation

Take only authorized taxis.

On trains, trams or buses you may drugged and robbed while sleeping. Avoid long waits in terminals; hence pickpockets, thieves, and violent offenders are common in such areas.

Laptop theft is common in Airports.

Laptop & Mobile Phone (wifi/3G/Roaming)

Use wifi or Ethernet internet connection of your Hotel, but not in internet cafes hence they are more secure. Bad guys may compromise your connection at times and steal private info or install malware in your laptop.

Do not attach Devices in your laptop like USB memory sticks.

Do Logon to company network only from company’s laptop.

If you lost your Laptop or/and Mobile Phone immediately report it, to local authorities and to your consulate with your photocopies and ID numbers.

Money Matters

If you lose your wallet (all or part of your possessions) immediately report it, to local authorities and to your consulate along provide your photocopies. Also call your bank’s staff for this purpose, so as to cancel credit cards and send replacements to your hotel or consulate.

Before you depart for your home country

Just when everything went ok and ready for departure, in your hotel, compare/check/count all your possessions and ID Documents with photocopies like credit cards, traveler’s checks left, Passport, Driving License. If something is missing notify Authorities or Bank immediately.

C) On your return

On your return compare/check/count all your possessions and ID Documents with photocopies like credit cards, traveler’s checks left, Passport, Driving License. If something is missing notify Authorities or Bank immediately.

Also just on arrival home and too thereafter 1 or 2 months, check your Bank Accounts and credit cards statements online from your online bank account, for any malware activity. If you detected anything, you should contact your bank immediately to cancel the credit card(s).

Links: FBI, travel.state.gov