Is splitting a REST API server from a Web server considered a security threat?

It would be more accurate to say that "using two servers e.g. api.myservice.org and www.myservice.org has security implications " --in other words, would normally be blocked by default server CORS config. But there are safe and secure methods to allow this by adjusting those settings.

The alternative of configuring URL paths to point to different hosts also has security implications. Arguably in favor of your proposed method, due to SEO considerations (i.e. you don't want a search engine indexing your JS lib files).

Read more details about "Cross-Origin Resource Sharing (CORS)" at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS


From the information provided, it is definitely not a security risk. As long as proper controls are set on the API endpoint (HTTPS, HSTS, etc.), you should be good to go.

One thing to note here is that the myservice.org may be running on a hardened system and with additional protections (such as a WAF). In that case, those controls will have to be applied to api.myservice.org as well.

Edit: The argument of XSS is irrelevant here and it cannot happen just because myservice.org and api.myservice.org are decoupled.


Only the person behind the rejection could answer definitely why they consider it a security issue. I've found the following questions helpful for such a discussion (not necessarily all of them, since it's likely several of them would be answered by a single question):

  1. Which type of security issue is this? “XSS” is not enough of an answer, since it's not obvious why that would be the case.
  2. Is this mandated by someone or something such as regulations or a stakeholder? If all the other services the organisation maintains work the same way it could be considered unnecessary complexity.
  3. Do you have a reference? Security-related articles are often written by people who have worked a lifetime with security, compared to someone who may have read and agreed with the article but can't necessarily justify their position as clearly. Of course, just because someone at some point considered it a problem, someone still has to verify whether it's actually relevant for you and whether the trade-offs are worth it. As a quick counterpoint (although of course absence of evidence is not evidence of absence), the OWASP Top Ten doesn't seem to explicitly mention subdomains as being a problem in their XSS or CSP articles.

Tags:

Rest

Xss