0

I have a JavaScript widget I'd like developers to embed on their sites.

I'd like to perform various actions based on whether or not a user is already a member of my site. Is it possible to securely perform GET/POST requests cross-domain?

I'm running Node/Express on the server side.

opticon
  • 3,494
  • 5
  • 37
  • 61
  • Security is relative, but it sounds like you're describing a RESTful API. Take a look at this http://stackoverflow.com/questions/15496915/how-to-implement-a-secure-rest-api-with-node-js – Mic Jan 15 '15 at 17:57
  • I suppose the alternative would be to implement your widget a way that it's hosted on your domain and embedded via iframe. – Mic Jan 15 '15 at 18:00
  • Unfortunately due to our use cases that isn't really an option! – opticon Jan 15 '15 at 18:02
  • This one actually discusses auth in more depth. http://stackoverflow.com/questions/9773664/rest-api-token-based-authentication For any requests that you want to secure, you're probably looking at having the user authenticate, and then providing them with an auth token that they have to use to sign their requests. You'll want to expose your API only over SSL as well, otherwise you'll be passing auth credentials unencrypted, which would be bad. – Mic Jan 15 '15 at 18:10
  • Also, for a real-world example, take a look at dmcloud (the service behind DailyMotion) https://www.dmcloud.net/doc/api/api-general.html You can see them using a hash of the request and api key, which gives them a means of validating the integrity of the request. – Mic Jan 15 '15 at 18:14

0 Answers0