2

I'm building a web application. It's basically a blog.

There is a javascript client web application and there is a server that implements REST API.

When user visits my blog, I use javascript function loadPosts() which uses Ajax to send GET request to myblog.com/api/posts endpoint on the server. Server returns JSON array containing blog posts and javascript on the client side parses the JSON and appends HTML to display blog posts.

The problem I'm having is that I do not feel that my REST API is secure.

Keep in mind that I do not want website visitors to have to login in order to see blog posts. However it seems that anyone could type myblog.com/api/posts into their browser and get JSON response from my server containing all the blog posts. This means that someone else can create duplicate blog and use the data I have on my server just by calling my REST API!

Therefore my question is how to make sure that only my javascript client is able to make calls to my server and get data from my REST API? Note that I do not want my blog visitors to authorize in order to be able to view blog posts.

Thanks in advance!

IvanJ
  • 645
  • 5
  • 19

1 Answers1

0

You could use the following approach.

  1. Pass in client token from a loadPosts() method. You could use AES or some other encryption techniques to encrypt the token.
  2. Decrypt the token to validate the request is coming from your method only.
  3. Respond to the request

Even this approach can be hacked since your loadPosts() is client side javascript method. Anybody could get your token from their.

If you would like more security, you could generate new token every time a new request is made and store in the database with the related information like IP address or something. Than you can verify that info in the api request and respond accordingly.

It all depends on how far you want to take it.

I hope it helps

chrana
  • 209
  • 1
  • 8