2

I am currently developing an SPA application with Angular 4 and with a RESTful API made with Symfony. My application will be public, that is, it will not need authentication by username and password.

My question is this. What is the way to ensure that the RESTful API can only be used by the SPA application? Is there any way to ensure that only my client application can use that API and block the other accesses?

I'm asking this since I do not want other applications to be able to use my API to get the data.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Mr. Mars
  • 762
  • 1
  • 9
  • 39

1 Answers1

3

Your API is public by definition for all intents and purposes. Any random anonymous visitor will need to be able to talk to your API for your site to work. Requests will come from arbitrary browsers. You cannot distinguish whether a request was sent "in the context of your site" or not; the only relevant marker would be the HTTP Referer, but that is neither guaranteed to be set nor is it unspoofable.

Consider what would happen if you wrote your site the old-fashioned way in HTML: your web server would answer HTTP requests and return data packaged in HTML. The only difference with a SPA is that those requests are JSON or XML instead of HTML, other than that there's no significant difference and the data is just as public as any other method you use for a public site.

Even using an authentication token of some sort is largely pointless, since your server will readily be divulging authentication tokens at any time to anyone, since they are necessary for people to use the site at all.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • 1
    This makes sense and confirms what I was thinking. I asked this because I have seen some post here asking the same question. But if something is public it means that it is accessible by everybody. Thanks! – Mr. Mars Feb 21 '18 at 10:17