My App has few endpoints open to the public:
1. API to register a Source ( Source also provides JWKS URL)
2. API to send data (Data is Sent with Private Key and KEY ID)
Happy Path:
1. Subscriber registers as a source
2. Subscriber app sends data |
3. My App parses data and validates
Not a Happy Path:
1. Malicious Actor registers as a source
2. Malicious Actor sends data
3. My App parses data and validates
App performs validation, but data shared is meaning less and I should have stopped before Step 3.
I understand this is more of system abuse rather than a security issue. A few ways to handle this are API Rate limiting, Validating Header, Checking Referer, etc. But still feels insufficient.
I have to make APIs public for now so sources can register themselves and share data. Looking for design related decisions, suggestions and corrections.