Reputation: 10974
Blocking external calls to an API (security)
I have to implement an internal API for a website which is called with jQuery ajax. It returns data on JSON.
The catch: it should only throw data when it is called from the same website. I'm assuming that an IP won't work because it is called with javascript on the client side.
For example, if someone tries to call the json url from another domain, it should throw a error message.
Any ideas?
Upvotes: 2
Views: 435
Answers (1)
Reputation: 10177
One way that might be enough here is to provide csrf token (secret key) from the backend when the user loads your page. Then pass that token when doing the ajax requests to make sure the user uses webpage from your servers. At least for Django there is support for csrf tokens built in, probably the same for other frameworks too.
NOTE: This does not make your data/API access more secure, but it makes it more difficult for other websites to use access to your API. This is not an alternative to proper authentication.
Links:
Upvotes: 4
Related Questions
- How to block external http requests? (securing AJAX calls)
- How to prevent API calls outside a web site
- Securing API in jQuery
- Protect PHP endpoints called by AJAX
- How to prevent the client from blocking an external resource?
- Secure Ajax call On Rest Api
- Block unwanted use of json API
- Securing AJAX API
- Blocking REST API calls
- Prevent direct access to JSON Web Service