1

When building a webapp, I'd like form data / interaction to be all driven by AJAX APIs. However, a lot of these APIs would be retrieving data objects (JSON) and I'd really only like my web app to use them. Is there any way to architect the API in such a way that only my website can call it? It feels like it would be a losing battle.

For instance, I could check if the domain making the request is mine, but a host header can be spoofed. jsonp doesn't solve it for me since someone could just write a service in Java or something to make requests outside of a browser sandbox

I'm thinking there might be something with security tokens and generating one, but I feel like any real measure I take can be spoofed by a clever scraper.

Anon
  • 1,260
  • 2
  • 16
  • 24

2 Answers2

1

You can employ the technique used by Rails based on authenticity tokens, generated by the web app through a custom secret.

You can then print them out in the header page and send them through the ajax request headers to validate them.

kain
  • 5,224
  • 2
  • 24
  • 35
  • Is this the right explanation of the token? http://stackoverflow.com/questions/941594/understand-rails-authenticity-token ? If that is the case, wouldn't a client be able to request the page, and find the auth token in the form, and then use that and hit the API hard? – Anon Jul 18 '11 at 20:36
1

You're right to say that it's a losing battle. If you give protocol code for your client to run legitimately, then your client can run the code illegitimately as well.

So in that light, I think your only defense is obfuscation. There are two parts to it: making the code hard to understand so that an attacker cannot use the code, and making the protocol hard to understand so that the attacker cannot use an HTTP protocol analyzer.

Disclaimer: I am answering how he/she can hide the AJAX API, not answering whether it's moral/ethical to do so.

Nayuki
  • 16,655
  • 5
  • 47
  • 75