Security in Apideo
Delivering secure applications should be a concern for any developer. Apideo connects people, and among the people it connects, there might be hackers or people with bad intents. Therefore, you have to think your applications so that they cannot be misused.
Apideo provides a set of security features. Most of these features are targeted at preventing a hacker from stealing your Apideo key. However, the security of your application cannot rely only on these features. You must ensure that each communication between your users is properly protected so that no script injection can happen, etc... Although script injection is outside of the scope of Apideo, you can consult tutorial 2 that explains the basics of building secure Javascript code.
Security features
Regarding Apideo security features, Apideo provides 2 security mechanisms:
- Security via URL
- Security via token
The idea behind security by URL is to allow only a restricted set of web servers to run Javascript scripts that make use of your Apideo key. Security by URL is very easy to set up, and therefore, should be the first step towards securing your application. However, it partly relies on the client providing the server's URL to Apideo, so it is inherently flawed, and a determined hacker could crack it. This is why there is also a security via token.
In security by token, your web-server allows some actions to happen based on a token that you provide to the webpage. The Apideo server receives the token and asks your web server whether the action requested is authorized or not.
Comparison
| Feature | URL-based security | Token-based security |
|---|---|---|
| Prevent a hacker from using your Apideo on his web-site | Yes | Yes |
| Security level | Low: relies on the user's browser providing your server URL. | High: a direct dialog between your server and Apideo's servers is established. |
| Prevent a hacker from connecting to a room if he has not been authorized | No | Yes |
| Prevent a hacker from sending event if he has not been authorized | No | Yes |
| Prevent a hacker from playing streams if he has not been authorized | No | Yes |
| Prevent a hacker from publishing streams if he has not been authorized | No | Yes |
| Usage scenario | You are using a free account, you are not sending confidential data in the events. | You are using a pro account, or you are sending data or streaming videos that must be kept secret. |
| More details | Follow this link to learn more about URL-based security. | Follow this link to learn more about token-based security. |