I'm trying to figure out if it's safe to make POST requests to my workplace's server, which hosts duty rosters. To access it, I first have to log in to get a bearer token. Once I have the token, I can request the roster info.
Here's what I've set up to avoid causing any issues:
- I introduce a random delay of 10 to 60 seconds between each request because I need to send 4-5 requests to get the roster.
- I save the roster in a variable on my server for 12 hours before fetching it again, rather than writing it to a file, to limit the load on their server.
The cached roster can be requested through my server using an API key to prevent unauthorized access. My server uses HTTPS, and I have my login info stored securely in a Docker environment variable, planning to utilize Docker secrets.
What's concerning is that this work server, while accessible from the public internet, is meant solely for employees. Can anyone tell me if this approach is safe or if I'm risking any legal troubles, especially under EU/German law?
1 Answer
From a technical standpoint, it sounds like your setup should be fairly safe, as long as you're using secure methods to store your credentials and access the data. However, legally speaking, be sure to check the terms of service for the server. If there's nothing documented, it might be a grey area but still worth understanding.
There are no terms of service for this, as it’s strictly for employee use. It’s essentially an internal resource, even though it’s accessible online.