Knowing another user's data, an intruder will be able to get his modules and images by substituting the user's identifier through the developer console.

To protect your customers from data spoofing, follow these steps:

1) Enable the "Permission Checker API" configuration in the "Server settings" menu:

The permission checker feature prevents third-party people from pretending to be who they are not. This way, Permission Checker sends a request to the plugin's backend with ApiRequestData parameters and COOKIES. Your backend has to look at the COOKIES, identify the user, check whether the data in ApiRequestData is valid, and grant or deny access to the user's modules and images.

I would like to point out that you should consider implementing a logic on your own that adds cookies upon login to the plugin.

2) Add some unique identifier or token to the ApiRequestData during initialization.

It is recommended to use the unique identifier or token, which cannot be picked up/forged on the browser side.

As an example, you can use the JWT token.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Remember: generating a new token each time the editor is initialized is better.

After receiving a request from the Permission Checker, you can check whether the user data in ApiRequestData is correct on your backend using mentioned identifier or token.

Following these two steps, you can protect your clients from stealing their modules and images through the developer console.

​

Thank you for taking the time to read our articles. We hope you will find this information helpful.

​If you have any additional questions, please email us at support@stripo.email.

We would be glad to talk with you.

​