0

I want to make Phonegap application, in which I will use PHP API and AJAX calls to it for communication.

The problem is security - when I make AJAX calls to my PHP API - the address is visible for anyone who can read js files and they can easily manipulate the data. I am thinking of two things that can be useful, but still not what I am looking for.

  1. CSRF token generated by the PHP API - yes, but to get the token in the app, I still have to make a request to the API, which again is visible and can be duplicated/manipulated.
  2. Uglify the js files, which is good for production, but it's not bringing the real security I want.

So the question is - how to secure my PHP API from unauthorized AJAX calls and allow only calls from my application?

Yasen Ivanov
  • 973
  • 2
  • 8
  • 22
  • 1
    Oh, so very very many duplicates there are for this. I'll try to find one. Short answer: You can't. Authenticate the user instead. – Quentin May 12 '16 at 10:33
  • 1
    It's impossible to fully prevent a client from beeing modified, hijacked, cloned or abused. This is something you need to be aware of. The only thing you can rely on is serverside validation. – Daniel W. May 12 '16 at 10:33

0 Answers0