I'm trying to develop an API while working in an environment with Ubuntu and Apache, but I'm a bit confused about the security aspects involved. Specifically, I need to secure the files that the API interacts with. Users will require read and write access to a database to modify data, but I don't want them to have unrestricted access to the entire database or the ability to insert invalid data. I'm considering the following permissions structure: Webpage with read and execute permissions, API with execute permissions, and I'm unsure how to set up the database permissions. I recognize that the Apache user needs read and write access to the database for data operations, but allowing public users direct access poses a significant security risk. Where can I find more information on this topic?
3 Answers
It's great that you're thinking about security! Just a heads up, you don't really want to give users direct access to your database. Instead, implement a backend API that handles all requests. This API should validate what changes the user is trying to make before they reach the database. That way, users only interact with the API, and the API can manage permissions securely. Definitely check out some resources on RESTful APIs and security practices for web development!
You need to remember that users accessing your web app aren't the same as users on the file system. File permissions control system users, not web users. As long as your sensitive files are outside the public document root of your server, they won’t be accessible to users on the web. It's good to set proper API endpoints and manage access that way!
Honestly, you might want to consider hiring a professional for this. There are established security practices in place that could save you a lot of headaches. Attempting to solve everything yourself, especially without a solid understanding, could expose you to vulnerabilities. Just a thought!
I totally get where you're coming from! If you're new to web dev, looking up tutorials on creating REST APIs and middleware authentication would be super useful. You might want to check frameworks like Express.js if you're using JavaScript.