Geek Answers Handbook

Protecting JSON Web Service

I have a JSON web service that I want to provide only to specific sites. This is a service that will be called through JavaScript using JSONP. How can I prevent (or at best impede) unauthorized sites from accessing it? The user / password requirement will not work, because it will be clearly visible in JavaScript.

Example. My web service on com.com provides weather information and I want the website and web page to be able to access it. But since the web service is accessible via JavaScript, lazywebsite.com can simply browse the source code of the website and web pages and copy / paste your JavaScript code.

My thoughts so far are:

  • Use the API key and register the HTTP_REFERER from which the service is accessed. This is not ideal since HTTP_REFERER is untrustworthy.
  • Create a unique server page website.com/webpage.com using the algorithm I provided, save it in a session and use it as a key to access the web service. Thus, the token is registered only for this particular visitor, and JS cannot be copied / pasted. The problem then goes to website.com/webpage.com, protecting its page, which generates a unique key.

Are there any better solutions?

+4
source share
2 answers

There is no perfect way.

If you are serious about security, the solution is to not publish your JSON service in the world. Make it private and require that the website and the website use the website to make a confidential request to the server from your server for data. Then you can authenticate whatever you want, and the secrets remain secure in their server code. This is basically a proxy solution. (One nice benefit: your JSON data will now have the same origin as the site, which means you don't have to do JSONP hacks).

If you are less serious about security and just want to make it difficult, the simplest things you have already outlined. Check out the referer. This heading can be faked, but it’s a pain, and I hope most attackers don’t think about trying. It also requires a password and / or API key (they are equivalent) and obfuscation it inside Javascript to make it harder to get.

+4
source

As an update to this old question, I recommend that you take a look at what facebook and twitter javascript APIs do for security.

-2
source

More articles:


All Articles