Reputation: 10867
How would I make it so my API is only accessible through my application (Javascript and PHP)?
I'm currently creating my first API. I know how to setup all the endpoints and do what I want with them. The issue I'm having is that I don't want just anyone to be able to visit site.com/api/example and get data back from it. What methods/concepts are available to make sure that only my application is able to access the API. I'm going to want to POST and GET these endpoints using both Javascript and PHP.
Any help at all on this would be greatly appreciated, thanks!
Upvotes: 2
Views: 2311
Answers (2)
Reputation: 29987
You have basically two solutions:
Application authentication: your application will be responsible for handling the authentication of your user and provide to the server evidence of a successful authentication. The implementation will vary depending on whether the authentication is done directly on the server (by provinding credentials) or indirectly (it would then provide to the server an authentictaion token). Some keywords: oAuth, JWT, LDAP
Client-side TLS certificate: the server will request from your app to present a TLS certificate in order to set up the TLS tunnel.
Upvotes: 1
Reputation: 965
Here's two options:
Don't let anyone know you're using an API. Only call the API from server side, let the API only listen to requests from your server's IP. Direct Javascript API calls to your server that forwards them to the API and sends the (perhaps even filtered) API response object to client side.
API authentication in combination with ACL (Access Control List). Use oAuth or JWT to generate an access token that you send with each request. Through the ACL you can vary the output, based on which user is doing the request. Perhaps Javascript requests are responded to with limited public data, while responses to your server side requests can contain data you may need for processing, but don't want to share publicly.
Personally I use a combination of both. JWT authentication and never letting Javascript send requests directly, I always validate these server side before forwarding them to the API (if response is not cached on the server already).
Upvotes: 0
Related Questions
- How to prevent API calls outside a web site
- Securing Web apis from being called outside the browser
- Protect PHP endpoints called by AJAX
- Securing an api PHP/JQUERY?
- Accessing PHP api with the help of Jquery
- Protecting API - JS Frontend and PHP Backend
- Authenticating access to an API
- Preventing unauthorized access to my custom app
- How can I make sure that my PHP api can only be used by a specific javascript page
- AJAX exposing the API of a web app