Optional security on Delivery API

At them moment it is simple for an end user to access the content of your site using the delivery API. By viewing the source code and taking the project ID from an asset link, a request can be made to the Delivery API to retrieve the entire content (including any content types/values that may be used for configuration).

Because of this, the API cannot be used by websites for content within secure areas that need authorization to access. Such as a suppliers login, staff login, customer login for help documents / policies etc.

Would it be possible to add optional security on the delivery API that can be activated in the Kentico Cloud admin on a project by project basis?

Comments

  • TomasH@kentico.com[email protected] Member, Kentico Staff mod

    Hi @ChrisThompson, you hit the bull's eye. Thanks for the great feedback. We know that without securing the Delivery API, you won't be able to use Kentico Cloud for some projects. We're planning to change this as soon as priorities allow us. Currently, we're thinking about allowing you to add an optional API key to the Delivery API just like for the Preview API. However, we still believe that we should focus on features on our current roadmap first, and then address this one. Since our priorities reflect what our customers truly need, if you believe securing the Delivery API should be implemented sooner, you can tell us which features on our roadmap are less priority. Also, knowing more about your use cases would significantly help us design the API security.

    So, let me ask everyone in this thread (including @ChrisThompson ) these questions. I believe it will help me, our developers and designers get the API security right.

    • What is the project/website about? Could you describe it in a few words so that we can imagine the use-case?
    • What content should be protected?
    • Should the rest of the content be publicly accessible or should the whole API be secured? Why?
    • If you have users on your website, how would you store and manage users, passwords, and permissions?

    Thanks to everyone who provided us the invaluable insights.

  • Hi,
    _What is the project/website about? Could you describe it in a few words so that we can imagine the use-case? _
    Central news repository with content being used across multiple existing websites as well as on a new standalone site.

    _What content should be protected? _
    News content that is not be public - but in this instance, I suggest securing all of it.

    Another area to consider is how to secure assets - PDFs, images etc. These would need to be protected based on which content the asset relates to or, if the asset library had folders, certain folders could be marked as requiring authorisation. There are several technical issues to be addressed with attempting to secure assets - especially if the authentication is happening on the public website and not inside Kentico Cloud.

    _Should the rest of the content be publicly accessible or should the whole API be secured?
    Why? _
    In this instance the whole API can be secured. I suggest thinking about it the other way around - what part of the API needs to be public?
    If both public and non-public are required, perhaps a KC could include a tool that allows for the selection of content to be included in an instance of the API. This could use the sitemap or content types to determine what is available in a public API for instance. Perhaps the user could define any number of APIs end points, specified as public or secure with different content available in each?

    If you have users on your website, how would you store and manage users, passwords, and permissions?
    On the website being developed - standard security using SQL Server is most likely or integration with an external system. Not on Kentico Cloud.

    Thanks, Chris.

  • TomasH@kentico.com[email protected] Member, Kentico Staff mod
    edited July 2017

    Thanks for your feedback, @ChrisThompson . We've included securing the Delivery API to our roadmap for the upcoming quarter (until the end of September). If you want, I can reach out to you when we're going to do additional research and design.

  • TomasH@kentico.com[email protected] Member, Kentico Staff mod

    @ChrisThompson we've decided to implement optional security for Delivery API shortly. The design is very similar to what we were discussing here. Can you take a look at the forum post and give us your two cents?

Sign In or Register to comment.