Secure way to send a mail via a (Restful) Webservice
Question
I have a AngularJS Webapplication with Java Backend.
Now i want to send a mail out of the Angular Application. I thought the best way is to send a post or get request to the webservice and send the Mail via an internal smtp server to the recipient.
But i think there is a big security problem with this concept. When i create a webservice call like: /api/mail?mailto=john@doe.com someone can take the link to the webservice, change the recipient and take this link to start spamming to other people.
Do someone know a secure way for this architecture to send a mail via a webservice? It is necessary that i have to pass the recipient to the mail service, because the user set this in the AngularJS UI.
I am happy about any suggestion.
2 answers
solution1
0 2017-09-20 07:13:14
Here are the security measures you should take for securing your rest api. REST Security Cheat Sheet Here is the list of security measures you should take for your rest API.
- HTTPS
- Access Control - For access control, you can API keys, OAuth, etc. take a look at this article https://stormpath.com/blog/secure-your-rest-api-right-way
- Restrict HTTP methods - Can be handled in controller.
- Security headers - Use proper security header to prevent CORS, CSRF attack. ( The attack you specified in your question ). Have look in this article https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html .
- Pass Sensitive information in HTTP POST request
If you use spring-security you will be covered in most of this.
solution2
0 2017-09-21 22:39:36
Use Mailgun . You can send 10,000 emails for free you can call the API via your Java backend, like so:
public static ClientResponse SendSimpleMessage() {
Client client = Client.create();
client.addFilter(new HTTPBasicAuthFilter(
"api","key-3ax6xnjp29jd6fds4gc373sgvjxteol0"));
WebResource webResource = client.resource(
"https://api.mailgun.net/v3/samples.mailgun.org/messages");
MultivaluedMapImpl formData = new MultivaluedMapImpl();
formData.add("from", "Excited User <excited@samples.mailgun.org>");
formData.add("to", "john@doe.com");
formData.add("subject", "Hello");
formData.add("text", "Testing some Mailgun awesomeness!");
return webResource.type(MediaType.APPLICATION_FORM_URLENCODED).
post(ClientResponse.class, formData);
}
This would be more secure than your implementation. I would also send the email address from the Angular client to your Java backend as a POST.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.