| # |
Apr 24th 2017, 10:31 |
 bravo-kernel |
Obfuscation is as secure as it gets |
| # |
Apr 24th 2017, 10:31 |
dereuromark |
if you do, use uuid16 :slightly_smiling_face: |
| # |
Apr 24th 2017, 10:30 |
bravo-kernel |
Ask @dereuromark, do not use uiid for primary ids |
| # |
Apr 24th 2017, 10:27 |
spriz |
Sneaky :) |
| # |
Apr 24th 2017, 10:24 |
NeoThermic|Work |
e.g (sorry for the function chain, but to get one line): $base36uuid = gmp_strval(gmp_init(str_replace('-', '', CakeText::uuid()), 16) , 36); |
| # |
Apr 24th 2017, 10:22 |
NeoThermic|Work |
doubly so since you can express them as base 36 (once you remove the dashes) for shorter strings in URIs |
| # |
Apr 24th 2017, 10:21 |
NeoThermic|Work |
UUIDs are a great choice |
| # |
Apr 24th 2017, 10:21 |
spriz |
UUID for primary keys <3 |
| # |
Apr 24th 2017, 10:20 |
NeoThermic|Work |
I don't suggest muffin/obfuscate if you want any degree of actual secrecy, mind |
| # |
Apr 24th 2017, 10:20 |
NeoThermic|Work |
hmm |
| # |
Apr 24th 2017, 10:19 |
birdy247 |
ah I read as optimal :slightly_smiling_face: |
| # |
Apr 24th 2017, 10:19 |
bravo-kernel |
Gotta go, gl guys and girls |
| # |
Apr 24th 2017, 10:18 |
bravo-kernel |
Simply put: a must IMHO |
| # |
Apr 24th 2017, 10:18 |
bravo-kernel |
:face_with_rolling_eyes: |
| # |
Apr 24th 2017, 10:18 |
bravo-kernel |
Not optional |
| # |
Apr 24th 2017, 10:18 |
birdy247 |
Not optimal? |
| # |
Apr 24th 2017, 10:17 |
bravo-kernel |
No problem |
| # |
Apr 24th 2017, 10:17 |
bravo-kernel |
Using JsonApiListener is not even optional anymore IMO |
| # |
Apr 24th 2017, 10:16 |
birdy247 |
big thanks for writing that |
| # |
Apr 24th 2017, 10:16 |
birdy247 |
@bravo-kernel great API blog post |
| # |
Apr 24th 2017, 10:16 |
birdy247 |
:) |
| # |
Apr 24th 2017, 10:16 |
bravo-kernel |
s/use/you might want to use/ |
| # |
Apr 24th 2017, 10:15 |
bravo-kernel |
@birdy use muffin/obfuscate if you want to hide your (auto incremental) ids |
| # |
Apr 24th 2017, 10:14 |
Neon1024 |
You can thanks bravo-kernel |
| # |
Apr 24th 2017, 10:14 |
birdy247 |
the JsonApi is also sweet as |
| # |
Apr 24th 2017, 10:14 |
birdy247 |
Man, CRUD + API + Search = happy |
| # |
Apr 24th 2017, 10:05 |
Neon1024 |
https://youtu.be/3Neq2ey3mgE?t=18 |
| # |
Apr 24th 2017, 10:05 |
Neon1024 |
But you’ve got a CMS so you’ve already got SSL |
| # |
Apr 24th 2017, 10:04 |
Neon1024 |
So worth some SSL at an absolute minimum |
| # |
Apr 24th 2017, 10:04 |
Neon1024 |
Will just get session hijacked, or man-in-the-middle’d etc etc |
| # |
Apr 24th 2017, 10:04 |
Neon1024 |
So something like example.com/api/v1/secret-endpoint/918?password=foobar |
| # |
Apr 24th 2017, 10:03 |
Neon1024 |
Plus, urls are transparent. Whatever is in the url is readable by anyone |
| # |
Apr 24th 2017, 10:03 |
Neon1024 |
Not that I like Phil Sturgeon, but that was a point he made in one of his api talks, and it’s a good one |
| # |
Apr 24th 2017, 10:02 |
birdy247 |
:+1: |
| # |
Apr 24th 2017, 10:02 |
Neon1024 |
If you happened to have a security hole, I could suck your database dry |
| # |
Apr 24th 2017, 10:01 |
birdy247 |
ah right |
| # |
Apr 24th 2017, 10:01 |
Neon1024 |
Making it very easy for me to automatically hit every record in your database |
| # |
Apr 24th 2017, 10:01 |
Neon1024 |
Well if it’s public Birdy, and you’re urls are something like example.com/api/v1/secrets/2 it’s safe to assume that example.com/api/v1/secret/3 will be a something as well |
| # |
Apr 24th 2017, 09:49 |
birdy247 |
Neon1024 you mentioned to hide primary keys in any responses |
| # |
Apr 24th 2017, 09:45 |
hagen00 |
sorry, will delete, it does work. I had a template error |
| # |
Apr 24th 2017, 09:45 |
birdy247 |
the resource |