I am trying to build an API on my app (app1), that will be used in another app. (app2) I would like to have your advice about security. Here is what i intend to do : only allow app2 in the enable CORS setting in the app1 Add a constant with a password (String variable) stored in app1, when app2 is doing a post request it will also send in the body the password, and the microflow in my app 1 will check if the value send is correct. My concern are that someone could “sniff” (man in the middle) the password sent. If my concern are correct how will you do to make it secure? Thank you!
If you only use secure connections, i.e. connect over HTTPS, this particular threat (the content of a request being sniffed) is mitigated.
However, there is no need to enable CORS if the API in App1 is only called by App2. Furthermore, since you are sending the password in the body of a request, you will have to build custom authentication. Developers building custom authentication without understanding security will probably lead to an insecure application.
Therefore: secure the API in app 1 with a username and password (the default setting), and when calling the API from App2 simply supply the correct username and password.