0

I read many answers here but not found the solution for my problem. My API is public and I want to be sure that requests are coming only from website. The website would have many AJAX requests - the whole API is only reachable as READ.

The website is reachable for everyone, so user/pw makes no sense. Same for access key, because we don't have any authorization and we using AJAX (every key would be readable for anyone).

We just have an anonymous user and want to protect that just requests from our website are able to access to the api.

Any ideas?

kurtanamo
  • 1,808
  • 22
  • 27
  • Possible duplicate of [How do I secure REST API calls?](https://stackoverflow.com/questions/13895679/how-do-i-secure-rest-api-calls) – pedrofb Jul 25 '18 at 11:37
  • Quite frankly, this cannot be done. You have to implement some sort of session, and without any authentication, you cannot implement a session that won't be spoofable by somebody else. Even with authentication, if somebody posted their Session Id on a forum, then without any further defence (IP, user agent. etc.) everybody could just use that! You must rate limit your API, or you will get DOS. – starlight54 Jul 25 '18 at 15:19
  • I think csrf protection with stp makes sense (overall). But clearly its not a authentication neither authorization. Combination with Session is the only option right now. Thanks all. – kurtanamo Jul 25 '18 at 15:49

0 Answers0