1

i am currently developing a php web app with an api to access user's data from cross platforms and web.developers will be able to fetch and insert user's data from api using an api key and secret.it will also use HTTP referer to make sure that the call was made from registered app url.but the problem is in javascript where API KEY and Secret will be shown in 'Page Source'.i serched about it on google and then i heard about 'OAuth'.now i have no knowledge about OAuth.i searched it, but nothing found helpful.so please anyone can tell me how to create a secure PHP & Javascript API and what is OAuth and how can i use it to protect my api.

thanks

sani
  • 137
  • 1
  • 7
  • Not sure if I got the question. What have you investigated so far, what do you need to know? Did you check out https://code.google.com/p/oauth-php/ – Zsolt Szilagyi Jun 01 '13 at 16:05
  • similar question: http://stackoverflow.com/questions/10603980/securing-an-api-for-use-with-javascript-widget – Harry Wood Aug 16 '16 at 00:12

1 Answers1

1

1) HTTP referer can be easily faked, so its usage for authenticity checking presents a big security hole. 2) API keys and secrets must never be publicly available. If you do so, then anyone can use them to fake your identity and, for example, stole your users' data.

What you can do is to make a simple PHP script which will provide a secure communication gateway to the web services you want to use. Then you can use AJAX to establish a communcation chanel between your page's frontend and the PHP script, which will the make requests to web service and return the result. Using this way, your API keys and secrets will be stored in the PHP script, which content isn't publicly available.

OAuth's implementation can be very frustrating, but if your web services require its implementation then you have no choice.

codeplasma
  • 515
  • 3
  • 6