Security - pass password /secrets to Webapi

What is the best practice to pass sensitive information like password/secret from angular to Webapi?

Should we need to hash/encrypt them at the client before sending to webapi?

Having https:// protocol would be enough to pass the sensitive information over the wire without encrypting?

Let me know your thoughts.

1 answer

  • answered 2018-01-11 19:08 shaunhusain

    using https is encrypting

    SSL is secure socket layer and uses various encryption algorithms (configured on the web server) in order to encrypt any communication and it is the best means of protecting information. Any data sent to the client is compromised and so encryption in the browser (JS not native) is typically considered not worth while.

    Suggest going to letsencrypt and setting up certbot to get/renew your certificates, it also helps with server configuration. You may also want to look into general "server hardening guides" on linux I also use a program called lynis on the server side to help audit/lock things down. There are also companies that will evaluate the hash algorithms your server is allowing in order to verify it isn't using any algorithms that are known to have exploits (like heartbleed), typically the companies are advertised as "PCI certification" companies but the tests are basically all automated. (PCI is payment card industry or visa/mastercard secruity best practices, if not followed and data is lost you may be considered more liable if you are not following PCI rules/suggestions)

    Following general security best practices and writing code that is not subject to SQL injection will put you ahead of most unfortunately but there are no silver bullets to security (same as performance):