0
Good morning beast... I have a windows application accessing a web api in the cloud and picking up some security data from my system... this api is for exchanging information only with my windows application, so I protected it with Oauth ( bearer ) and I only required accepting https connections.
I have other computers in my workplace with this windows application installed, I will in any of them and install a network traffic monitoring program ( Fiddler ) and quickly can see the post body ( containing my password ).
How to prevent other people with access to these computers from doing the same and discovering my api password???
Somebody please help me, I’m already crazy with this thinking there’s no way!
I access the api with the code below:
HttpClient clienteHttp = new HttpClient();
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
clienteHttp.BaseAddress = new Uri("https://meuUri.com/");
Dictionary<string, string> tokenDetails = null;
var login = new Dictionary<string, string>
{
{"grant_type", "password"},
{"username", "meuUserName"},
{"password", "meuPassWord"},
};
string result = "";
var response = clienteHttp.PostAsync("Token", new FormUrlEncodedContent(login)).Result;
if (response.IsSuccessStatusCode)
{
tokenDetails = JsonConvert.DeserializeObject<Dictionary<string, string>>
(response.Content.ReadAsStringAsync().Result);
if (tokenDetails != null && tokenDetails.Any())
{
var tokenNo = tokenDetails.FirstOrDefault().Value;
clienteHttp.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer",
tokenNo);
HttpResponseMessage resp = clienteHttp.GetAsync("api/clientes/"+idCliente).Result;
resp.EnsureSuccessStatusCode();
result = resp.Content.ReadAsStringAsync().Result;
}
}
MessageBox.Show(respostaApi, "xMarket", MessageBoxButtons.OK, MessageBoxIcon.Information);
This is usually treated by making use of https. If you want to use https in development, you can generate a self-signed https certificate to use on your application server.
– Danizavtz
@Danizavtz Note that https is already being used in the customer api.Baseddress = new Uri("https://meuUri.com/");
– Marcelo Vieira
Thank you for the answer... What I want is for only my windows application to talk to this web API... I will install this application on a lot of customers and I want it to be safe ( that no one there in the client with access to the computer where is installed this windows application can see the password )
– Luis de caxias
I don’t know if it’s clear.... but I want to install this system in several clients. if such a client installs Fiddler on the machine the system communicates with the api will see passwords, which I want to avoid.
– Luis de caxias