Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

How to protect a private REST API in an AJAX app

How to protect a private REST API in an AJAX app

Problem

I know that there are many similar questions posted, but none of them refers to an HTML/javascript app where the user can access the code.

I have a Private Rest Api written in nodejs. It is private because its only purpose is to server my HTML5 clients apps (Chrome app and Adobe Air app). So an API key is not a good solution since any user can see the javascript code.

I want to avoid bots creating accounts on my server and consuming my resources.

Is there any way to acomplish this?

Problem courtesy of: aartiles

Solution

An API key is a decent solution especially if you require constraints on the API key's request origin; consider that you should only accept an API key if the originating web request comes from an authorized source, such as your private domain. If a web request comes from an unauthorized domain, you could simply deny processing the request.

You can improve the security of this mechanism by utilizing a specialized encoding scheme, such as a hash-based message authentication code (HMAC). The following resource explains this mechanism clearly:

http://cloud.dzone.com/news/using-api-keys-effectively

Solution courtesy of: Chris Hutchinson

Discussion

View additional discussion.



This post first appeared on Node.js Recipes, please read the originial post: here

Share the post

How to protect a private REST API in an AJAX app

×

Subscribe to Node.js Recipes

Get updates delivered right to your inbox!

Thank you for your subscription

×