1

if you are calling a service using jQuery like below, in this case your service call is shown and displayed to the user that allow him to call such service using fiddler or any custom web application

$.ajax({
   url: SERVICE_URL?Q1=eee&Q2=sss,
   dataType: "application/json",
   data: {...},
   ......
})

what technique followed in gmail, facebook, or twitter just to resolve this issue as I found that there are no such types of calls in there scripts.

I discovered that they are using oAuth authentication provider to generate access token to pass everytime they need to access anything from jQuery ...

please anybody help us to check the best practice for not showing the service url or even encoded it

Muhammad Soliman
  • 21,644
  • 6
  • 109
  • 75

2 Answers2

1

Try changing your dataType to "jsonp"

Dennis Martinez
  • 6,344
  • 11
  • 50
  • 67
  • but still the service URL will be shown in the client side... what is followed by gmail or twitter... if you display their scripts you will not find any code like this – Muhammad Soliman Apr 17 '12 at 21:45
0

I think it is better if we applied the following, but still not sure if it will be enough for securing your services.

  • All of backend services should be packed in APIs.
  • Using shared sessions in any store (like memcache or redis, the latter is better to keep it persistent in case of remember me feature if exists) across your system components, prevent calls to your services in case it is not authenticated or authorized
  • Manage your services to prevent hits by using a max hits per second ... (you could apply this technique if you are using redis)

Hint: Redis persistence is described in detail here http://redis.io/topics/persistence

Update: As an example, AWS is implementing this now through API gateway and Amazon Cognito and that is what became known as Serverless applications :)

Muhammad Soliman
  • 21,644
  • 6
  • 109
  • 75