thanks for the reply. we'll use https in production for sure because the data going back and forth are valuable business data. the users from the 3 locations are all employees of the organization, but because we're opening up the api to the internet (to accommodate those remote employees), we want to do our due diligence upfront regarding security (we want our apis to only be available to authenticated and authorized users)
On Thursday, January 25, 2018 at 1:32:36 PM UTC+8, [email protected] wrote: > > i come from a java and c# background, and have built webapps the "classic" > way (i.e., jsp, asp.net, cookies, server-side rendering, occasionally > ajax, etc) > > i am about to build my first (eventually) medium-sized web app, where the > server-side would just be serving up data rest-api style, and both local > and remote users would be connecting via a browser and/or a non-browser. > > the webapp is meant for use within an organization only, but because the > organization is spread out in three different locations, the rest api (or > perhaps some sort of an api gateway?) would have to be exposed to the > internet. > > my questions are all security-related and we're thinking of using go as > the programming language, and some external libraries such as routers > (we're currently investigating gorilla mux, ozzo-routing, and others) etc. > > (1) is validating JWTs in a web request's authorization header the current > dominant best practice for securing an api? what are its pro's and con's? > > (2) would using a session cookie + some authorization middleware (such as > casbin) make sense for our situation? what are its pro's and con's? > > thanks for helping! > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
