REST API URI design conventions

Question

I have a situation where I would like to restrict some APIs only for server to server calls and rest APIs can be called from web browser directly. All the APIs should still be available on internet. What is the best approach for such situation?

http://secureapi.myserver.com/v1/resources and http://api.myserver.com/v1/resources

Or

http://api.myserver.com/secure/v1/resources and http://api.myserver.com/common/v1/resources

or

http://api.myserver.com/v1/resources With a check based on user agent to identify the caller

a better suggestion would be highly appreciated.

Answer 1

If you want your server-side only API to be really only reachable from the server side, then you'll have to implement a proper access control model. Have your API clients submit Authorization headers with their HTTP requests so that the server can accurately distinguish between trusted server-side callers and browsers out on the web.

Don't rely on spoofable things like User Agent strings. That's security through obscurity and is guaranteed to bite you later.

Just remember that these two wishes of yours:

I would like to restrict some APIs only for server to server calls

and

All the APIs should still be available on internet.

are what scream out for a properly designed secure auth layer for your API.

Answer 2

Use Cross-Origin Requests (CORS) mechanism. Configure it on your REST API to use CORS.

More information here:

http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

http://msdn.microsoft.com/en-us/magazine/dn532203.aspx