I've created a website based on my API - so that my FrontEnd is decoupled from the backend using a simple REST API (frontend is pure javascript/html).
I would like to protect the API from usage by anyone else - so that the calls can come from the website alone (or maybe allow other specific websites to use it).
For now, if anyone would use curl he will be able to scrape the API very easily.
How can I protect the API assuming the FrontEnd is JS/Html only, so that legitimate calls from my own pages work but curl and such from third parties do not?
This question may not be a good fit for SO, as there can be multiple equally-valid answers.
But one way to do this would be to use SSL, user authentication, and tokens. Here's a rundown:
- Use SSL for the pages that use the API.
- When a page is freshly-requested from your site, you return it with a token that allows user login and nothing else. That token is associated with the requesting IP address on your server and can only be used with requests from that IP address, and only for logging in.
- When the user logs in, you give them a new token that's associated with their user account and IP address. All subsequent requests must be made using that token, and from that IP address.
- Limit the API calls that can be made with that token to only those that that user account must be able to use. Default deny, in other words.
- Time-out the tokens (on the server) after whatever interval of inactivity seems appropriate to you.
- Rate-limit requests to a rate that is reasonable for an actual human being using your application.
- Make extensive use of your logs to determine patterns of typical activity, so you can identify atypical activity and block it.
- This may be obvious, but make sure the tokens are hard to predict (not a steadily-increasing number, for instance) and hard to spoof. Although the IP address/token link is held server-side, you still don't want to make life easy for potential hackers.
The user authentication part of that is important, because otherwise, while you'd be pretty safe from remote hacking (because of the SSL), a hacker who uses a browser to go to your site so he/she can get the token can then use curl or similar to his/her heart's content with that token. So if someone is mining your site, you at least want to have some clue who they might be (your user authentication) so you can get them to stop.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 贪生不怕死 的文章《Protecting my API》','https://www.manongdao.com/article-851259.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}