I have a REST API that can potentially serve multiple web clients. I want to ens

Question

I have a REST API that can potentially serve multiple web clients.

I want to ensure that only my single page app on my-one-and-only-web-cleint.com can make requests to my API. How do I do this?

Right now there isn't much to stop someone from copying the source of my website and act as a copy of my single page app on my-one-and-only-web-cleint.com.

Only check I have right now is:

On server side: I check for request header's origin and only allow requests from my-one-and-only-web-cleint.com

But my understanding is that you can manually change the header, so this check can be bypassed.

Explanation / Answer

This sounds like preventing a CSRF attack. The Same Origin Policy will already prevent anything within your API from being read by another domain, but to prevent requests that makes changes to your system you will need to guard against CSRF.

On server side: I check for request header's origin and only allow requests from my-one-and-only-web-cleint.com

Checking the Origin header or a custom one such as X-Requested-With is a valid way to beat CSRF.

An attacker cannot forge this header in the web browser, so anyone connecting to the attacker's site which he has connected to your API will not be able to use it as their browser header cannot be tampered with.

You should also rely on an authorisation system to prevent the attacker from making API requests server side (where they can set any header they want).

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.