9

I have an English dictionary webapp, say xyz.com, developed using AngularJS (or any other UI) and REST api. There is no authentication since the webapp is open to everyone and there is no user registration. How can I prevent the REST api from being consumed by outside applications? In other words, the REST api should work only when accessed through xyz.com. I don't want some other developer use my REST api to power his application.

OAuth isn't a solution for this since there is no authentication. This question is similar to Protect Web API from unauthorized applications, but there weren't any concrete answers that would solve this.

Community
  • 1
  • 1
Suneel
  • 817
  • 3
  • 10
  • 23
  • Take a look at Cross Origin Resource Sharing, CORS http://www.html5rocks.com/en/tutorials/cors/ – Cerad Jun 27 '15 at 19:24
  • @Cerad CORS is overcoming the same origin policy restriction. But that isn't my question. I am looking for a way to prevent unapproved / unethical usage of my public API. A rogue developer can develop his own UI and just call my REST api through a proxy that runs on his domain, thus by passing the same origin restriction. – Suneel Jun 28 '15 at 00:22
  • You asked for a way to restrict usage of your api to a specific domain: xyz.com. CORS can do just that. – Cerad Jun 28 '15 at 13:02
  • 1
    @Cerad So how would CORS prevent someone from writing a Python or Java client to access my REST api from their developer machine? – Suneel Jun 28 '15 at 23:01
  • @Cerad no he did not ask that and you not helping! ... to Suneel: I am actually searching for same thing - did you found something except put it behind accounts? :/ – JsonKody Jul 15 '22 at 10:25
  • Suneel and @JsonKody, did you find any solutions?? – Omer Jul 27 '22 at 12:23

1 Answers1

1

Cross Origin Resource Sharing mecanisms https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS could be leveraged to protect your application, but easily bypassable.

In the same vein Referrer-Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy could be taken into acount, but not compatible with older browser.

Since Oauth2.0 is not possible, you could eventually combine them with Bearer Token HTTP Authentication using JWT as lighter alternative to Oauth2.0.

v-g
  • 338
  • 4