Application-Level Data Security
We’re pleased to announce an all-new security feature for the CloudMine platform. You can now use our new API key rules interface to secure application-level data, allowing you to restrict access to your data without requiring your users to log in.
Why?
APIs like CloudMine usually restrict access to their data via the use of an API key, or token, that is sent with each request to perform authentication on the server. The problem with this is that the key must be embedded in code. This offers a small level of protection from malicious users, but a motivated person could still decompile the app and get the key without too much effort.
With this feature, you can restrict access to some (or all) of your data using our rules system. You can make certain objects or files read-only, or only allow users to create objects (but not delete them). Security is validated on our servers with each API request. One common scenario is when an HTML5 web app needs access to your data. This works by embedding your key in the app’s JavaScript code. However, keys embedded in JavaScript are easily extracted. In this instance, you should create a new key with read-only permissions and use that to access the API.
How It Works
If you just want to jump in and play around with the new feature, head on over to your CloudMine Dashboard. Read the quick blurb about how the system is organized, make a new API key, and apply some rules to it. You can use the API Console to explore how your results change depending on which rules you’ve defined.
When you’re satisfied that the rules you’ve created are what you want for your app, you can either apply them to your current API key, or redistribute your app with the new key. If you need more detailed information, visit the App-Level Data Security section of our API documentation.
Start Developing!
We have a lot of pride in the new features we’re bringing you, and we’re excited to see how developers end up using it. If you have any questions or comments, don’t hesitate to drop us a line on Twitter or via email.
