1

I'm currently working on a small JavaScript library which makes requests to a REST web service. Since the server side needs to log incoming request to measure the number of requests, I want to secure it somehow. The library is very similar to the Google Maps API. So my question is now, is there some way to secure it better then just adding an API key to the libraries requests? How can I ensure, if that is even possible, that only the 'right' client uses the key? I guess I could compare the referrer url to a set of valid urls, but this can be spoofed to right? Please keep in mind that is impossible to use some else's authentication method (facebook, google, twitter etc.) since it has to work without user input.

Cheers, Daniel

Daniel Gerber
  • 3,226
  • 3
  • 25
  • 32
  • Yes, the referrer URL can and will be manipulated and shouldn't be used for anything security related. – reto Jul 07 '14 at 07:47
  • Define what exactly "secure" means. Is the API meant for a public website, which anyone can visit? Then by definition, there's nothing you can do. Either anyone can access the data anytime from anywhere (public website), or you have some kind of restriction to go by. You can't have both. – deceze Jul 07 '14 at 07:53
  • Thank you. Well I need a way to identify the client on the server side to measure the API request. It does not necessary need to be "secure". Sorry if I mixed this up. – Daniel Gerber Jul 07 '14 at 07:58
  • So your question is how to identify users without them explicitly authenticating themselves? See http://stackoverflow.com/questions/15966812/user-recognition-without-cookies-or-local-storage/16120977#16120977 – deceze Jul 07 '14 at 08:03

1 Answers1

1

A decent RESTful approach would be to require an Authorization header to be supplied by the client, matching some scheme that your server will accept (see Basic Access authentication as an example). Seeing as you only wish to validate that your client is the one making the request, you probably don't need too complex an authorization mechanism.

Ross Taylor-Turner
  • 3,687
  • 2
  • 24
  • 33
  • 2
    I can't see how this can not be spoofed. If i put username:password in my library source code, everybody is able to see/fake it, or not? – Daniel Gerber Jul 07 '14 at 08:13
  • 1
    So you are creating a public javascript library that communicates with your private server and you don't wish clients other than those using your library to make the request? As mentioned in @deceze's comment, if this is a publicly accessible server then there's nothing you can do to stop people making requests to it, so wouldn't you want to measure the number of requests including these? As you mentioned checking the referrer that makes me think there are only one or a few clients you expect to receive request from? Sorry I don't fully understand the question yet. – Ross Taylor-Turner Jul 07 '14 at 08:34