Public API accessible only from website

Asked Sep 18 '17 at 14:58

Active Sep 18 '17 at 14:58

Viewed 793 times

When a user land on the home page, the website does an ajax call to api/posts to retrieve a list of posts.

What I want to do is to make that url accessible only from the site, that means even a cul http://locahost:3000/api/posts should not work.

I've looked for tons of articles and seems that the best way to do it is to pass a secret token on the requests headers + HTTPS, but the issue is there, that token will be stored on the client side so some guys that know a bit about security could eventually find it.

Ideally I would like to do the checking on server side only without passing anything from the client.

I'm using express

asked Sep 18 '17 at 14:58

hjrshng

1,675
3
17
30

Your best bet would be to use some combo of checking `userAgent`, and using some sort of `token`. – Pytth Sep 18 '17 at 15:09
1

Enabling `CORS` and check for `referer` in request should help further. – Brahma Dev Sep 18 '17 at 15:11
There is a similar question and answer is already provided - https://stackoverflow.com/questions/13895679/how-do-i-secure-rest-api-calls – ManishSingh Sep 18 '17 at 15:26

Public API accessible only from website

0 Answers0