0

I have a public SPA that is calling my backend REST service via JavaScript. How can I secure the REST service so that it will only accept calls from my SPA and no other clients or users?

Any way that I can think to secure it would involving storing some kind of secret, however because the SPA is written completely in JavaScript anyone can view the source.

joe
  • 2,468
  • 2
  • 12
  • 19
kimsagro
  • 15,513
  • 17
  • 54
  • 69
  • Generally you can't unless you have a user authentication system. Then you can issue the secrets to a user on login. – Greg Mar 22 '14 at 03:26

1 Answers1

0

The most common practice for securing an API is a combination of API-key & using SSL (https)

Here are some links that will point you in the right direction:

Theoretical:

http://www.slideshare.net/jfaustin/securing-your-api (from slide 17 onward) https://security.stackexchange.com/questions/18684/how-to-implement-an-api-key-mechanism

Practical:

(.net) http://blogs.msdn.com/b/rjacobs/archive/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4.aspx

also, pluralsight (http://www.pluralsight.com/training)

Has amazing videos (unfortunately paid membership) on the topic & much more!

Hope it helps

Community
  • 1
  • 1
LostBalloon
  • 1,608
  • 3
  • 15
  • 31
  • Given this is a JavaScript application though, where would I store the API Key to keep it secret? – kimsagro Mar 22 '14 at 03:53
  • http://stackoverflow.com/questions/7847121/how-to-keep-api-keys-secret-when-using-client-side-javascript This answer mixed with ssl for securing the communication (and preventing packet tampering) http://stackoverflow.com/questions/5472668/rest-authentication-and-exposing-the-api-key It doesn't really matter if the API key itself is known or viewable, because the shared secret is what will help the server determine if the api-key comes from the proper source or someone else pretending to be your app. – LostBalloon Mar 22 '14 at 04:36
  • I think the diagram @ this link illustrates the process really well: http://developer.yahoo.com/oauth/guide/oauth-auth-flow.html of course, in your case, you are not authenticating a user (So slightly different) – LostBalloon Mar 22 '14 at 04:40
  • I'm still confused. Given that the API Key is visible to everyone, how can the server verify that the request is coming from my site and not someone elses. We could both sign any requests correctly with the key and any other information about the request can be faked. My understanding is that client side javascript oauth is not possible. – kimsagro Mar 22 '14 at 06:26