1

Background checks: I read through several blogs but unable to find anything specific around this question.

Below is the architecture:

  1. HTTPS website (no login needed) have common LIKE button.
  2. Upon clicking, user enters email address and solves CAPTCHA and click SAVE button.
  3. Rest call is made with data and DB stores the values.

Problem: Now if someone try to call Rest from say POSTMAN, there is no way to authenticate whether call is coming from Https website or somewhere else.

Question: Is there any way to ensure that Rest will understand whether call is coming from https site only in order to process request further?

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
Nikhil Joshi
  • 817
  • 2
  • 12
  • 34
  • How about maintaining sessions or having token-based API calls? – sanedroid Sep 29 '17 at 12:55
  • @PoojaGaikwad - Website does not have user logins, its open publicly. Will it work in this situation? If yes, if you don't mind, can you guide me how to do that? – Nikhil Joshi Sep 29 '17 at 12:57
  • Possible duplicate of [Prevent Direct Access To File Called By ajax Function](https://stackoverflow.com/questions/1756591/prevent-direct-access-to-file-called-by-ajax-function) – Quentin Sep 29 '17 at 12:59
  • `...there is no way to authenticate whether call is coming from Https website or somewhere else` <= The API should be called using httpS. You can also deny [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) if you want to deny requests from other domains. Also even though you are not authenticating with a user/password you are still authenticating and the API should return some type of token (cookie, bearer-token, something) that can be used for future calls. Finally, you can also use a [csrf token](https://en.wikipedia.org/wiki/Cross-site_request_forgery). – Igor Sep 29 '17 at 13:03

0 Answers0