Legendary Trio
devlogquedulaapi

Devlog #8: Admin panel authorization

We have an internal admin panel for managing content on this blog. When we built it, authorization came up.

For an internal tool with a limited number of users we chose HTTP Basic Auth. This isn't what we'd recommend for a product interface, but for an internal service behind HTTPS — it's quite sufficient.

The main rule: authorization should be at the nginx/reverse proxy layer, not only in the application. This guarantees that even if there's a bug in the application, a request without valid credentials simply won't reach the code.

One more thing: Basic Auth credentials must not be hardcoded — only via environment variables.