-1

A website requests a URL from a remote RESTful API which then returns a JSON object with sensitive data.

How can I protect that call coming from the "client"? If I send any headers or post data for authentication (keys, credentials, etc.) it's still gonna be visible to the user and defeats the purpose.

Basically, how can I make sure that someone can't call the same URL I'm calling through AJAX in their browser and protect the sensitive data? If I use post parameters, they'll be visible in the javascript code.

$.post({
    url: ...,
    username: ...,
    password: ...,
    key: ...,
    ...
});
jstudios
  • 856
  • 1
  • 9
  • 26
  • possible duplicate of [How to secure my jQuery AJAX calls in PHP and Javascript?](http://stackoverflow.com/questions/20170728/how-to-secure-my-jquery-ajax-calls-in-php-and-javascript) – Jay Blanchard Jul 14 '15 at 20:04
  • What (if any) PHP are you using here? – jonmrich Jul 14 '15 at 20:06
  • 1
    you can't. All of the data must be in javascript for javascript to send it, and if it's in javascript, the client can see it, copy it, and then send the request themselves through a tool such as fiddler or postman, modified in whatever way they like. – Kevin B Jul 14 '15 at 20:06

2 Answers2

1

Your current chain of events:

User form submitted -> JS adds sensitive parameters -> all info sent to 3rd party -> JS parses response, etc...

What you should be striving for:

User form submitted -> all info sent to YOUR server -> server adds sensitive parameters -> server CURLs to 3rd party -> server receives response -> server communicates back to user

Moral of the story?

Client-side Javascript should NEVER be used to secure communications nor encrypt data, period.

MonkeyZeus
  • 20,375
  • 4
  • 36
  • 77
  • @Oka I see, well taking it out of context is your decision but hopefully my answer is up to par now. – MonkeyZeus Jul 14 '15 at 20:51
  • An improvement, yes. Nothing was taken out of context, since you described a full stack in your example - where the back-end may or may not be written in JavaScript. – Oka Jul 14 '15 at 21:33
0

Well, I think you can use tokens for authentication and expire them, let say, after n number of request. However, any data you want to send to the server from the browser will be visible to the user unless you process(encrypt) the data.

Or you can make your connection secure using SSL, OAuth or any other protocols out there.

Dipen Shah
  • 25,562
  • 1
  • 32
  • 58