6May
Resources on best practices to support why we need to protect Web API
I am dealing with a coworker who keeps insisting there is no need to protect requests to our Web API. His rationale is, the only client to it (our Web front end) already makes sure only the authorized users can access the functions at the front end, and that using network management tools we can ensure only that front end can access that Web API.
I have already spent too much time trying to help him understand all the ways this can fail, but he wants "documentation" to show my point. Is there any easy-to-understand best practices documentation I can refer to? Protecting the Web API is a given to me, and everything I have found (discussions and tutorials) on the web already assumes this is a given. For example:
