devlogquedulaapi
Devlog #8: Admin panel authorization
We have an internal admin panel for managing content on this blog. When we built it, authorization came up.
For an internal tool with a limited number of users we chose HTTP Basic Auth. This isn't what we'd recommend for a product interface, but for an internal service behind HTTPS — it's quite sufficient.
The main rule: authorization should be at the nginx/reverse proxy layer, not only in the application. This guarantees that even if there's a bug in the application, a request without valid credentials simply won't reach the code.
One more thing: Basic Auth credentials must not be hardcoded — only via environment variables.