I'm trying to develop an API while working in an environment with Ubuntu and Apache, but I'm a bit confused about the security aspects involved. Specifically, I need to secure the files that the API interacts with. Users will require read and write access to a database to modify data, but I don't want them to have unrestricted access to the entire database or the ability to insert invalid data. I'm considering the following permissions structure: Webpage with read and execute permissions, API with execute permissions, and I'm unsure how to set up the database permissions. I recognize that the Apache user needs read and write access to the database for data operations, but allowing public users direct access poses a significant security risk. Where can I find more information on this topic?
2 Answers
You need to remember that users accessing your web app aren't the same as users on the file system. File permissions control system users, not web users. As long as your sensitive files are outside the public document root of your server, they won’t be accessible to users on the web. It's good to set proper API endpoints and manage access that way!
Honestly, you might want to consider hiring a professional for this. There are established security practices in place that could save you a lot of headaches. Attempting to solve everything yourself, especially without a solid understanding, could expose you to vulnerabilities. Just a thought!
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads