I'm about to launch a SPA app that I built in VueJS but I'm worried about how exposed my API is. Anyone with access to the app could easily just download all of the data I have running through my RESTful API. The API is protected with oAuth, but with signups being free, essentially anyone can literally have all of the data my app provides.
I recently started looking into an SSR framework like Nuxt thinking this would be the solution to my problem. If I make all my RESTful calls server side, I wont have to expose my API to the world and can return HTML partials while still having the niceness of a SPA app. I know even HTML can be scraped, but I'd rather not just hand my whole database to someone in a nice JSON payload.
After playing around with Nuxt, I'm not sure this is what I'm looking for since it only does the initial REST call on the server, and all subsequent ones happen from the client. What are my options when it comes to not exposing my REST API while still having the benefits of a SPA app?
EDIT: Some backstory if it will help: I have about 30,000 records in a database that are available through a public-facing ASP.NET MVC Core API. I limited the amount of results that can come back with a page request to 60. My VueJS/Nuxt app uses this API to display the data to the user. Since the calls happen from the client-side, my API is open to anyone who wants to hit it. That means some young, enterprising kid could write a small app that loops 500 times and will have the entirety of my database in less than a couple minutes. I know it's impossible to stop scrapers, but I'd like to make this a little harder to accomplish.
