security - How to publish jQuery code accessing a REST api, but have it secured from unauthorized use

Question

This question is similar to this one:

Developing API - how to make it secured?

What I want is to develop a jQuery based query against a REST api on my server to retrieve some data for display on a web page.

I want the authorized user of the web page and jQuery to be able to access this data, but don't want others to be able to copy that jQuery and put it on their site to access this data in any way. And to be clear, this is all happening client side in the browser - without any server side code involved...

What is the correct strategy to accomplish this if it is even possible?

I don't want the end user viewing the web page to have to know anything about any of this going on in their browser...

Thanks!

Answer 1

If you don't require your end-user to do any sort of authentication into your site so you can't use that as an auth method and you want your webpage to be able to use the REST API without any other intervention, then there is no foolproof way to secure your REST API. If you want the data in an unauthenticated browser, then anyone can retrieve that data.

Keep in mind also that they could always just run your web page and parse the data out of your web page too so, if no authentication is required to use this web page, the data is already available to the general public. You can't truly secure it without requiring authentication.

There are some things you can try to make it more difficult for people to use your REST API, though none are foolproof. These are only obstacles, not security.

1. You can put an expiring token into your web page, include that in the web request and then verify it's an unexpired token in the REST API. This prevents someone from just using your REST API directly from another browser page (they won't have a legal token), but doesn't prevent a server from first fetching the host page, retrieving the token and then using it to access the API.

2. You can try checking the referrer and only fulfill web requests that say that are coming from your domain. This is also not foolproof since the referrer can be spoofed, but it is an obstacle.

3. You can make the data response obscure so that it's not immediately obvious how to interpret the data that is returned (scrambled, encrypted, etc...). Again, this is just an obstacle that won't prevent a determined hacker from reverse engineering how your own code interprets the response, but it is again more work that gets in the way of casual users of your REST API.

What a lot of REST APIs do is require an accessKey be used with every API call. Your web page would have an accessKey built in. Any outside developer that wishes to use your API (with your permission) applies for an accessKey and you grant it to them (if you want them to be able to use your API). Your server then only allows access requests from approved accessKeys. If you find that there is some rogue use of an accessKey, you can shut down use of that accessKey at your server. If the accesskey in your own web page is being used by someone against your wishes, then you can change the accessKey you put in your own web page and revoke privileges for the previous accessKey. Obviously, some rogue developer could keep grabbing the accessKey out of your own web page, but they would have to do that regularly in order to regularly use your API. Again, it's just an obstacle that can be surmounted by a determined/knowledgeable developer, but it's about the best you can do for data that is already available to the public.

FYI, here's another similar discussion: How to restrict JSON access?