Is it a Good Idea to use REST API from Javascript Code

I am Developing a E-Commerce Web Application as a part of my learning using Spring Hibernate and AngularJs.

I have written some Rest API's Controllers in Spring and then from the Web Component i am invoking the same using Angular Js like the below :-

 storezillaadminapp.service('CategoryService',function($http){
 var listCategories = [];
 this.getAllCategories = function() { 
 return $http.get(_contextPath+'/categories');
 };
 this.addCategory = function(category) {
 return $http.post(_contextPath+'/categories/add',category); 
 };
 this.updateCategory = function(category) {
 return $http.put(_contextPath+'/categories/edit',category); 
 };
 this.removeCategory = function(id) {
 return $http.delete(_contextPath+'/categories/remove/'+id);
 };
 });

1. The concern here is, It is a Good idea to expose the rest api's from javascript code like the above ? The reason for asking this is that, at the end of the day, all the js files get downloaded onto the clients machines making your API more vulnerable. What would be the ways to hide this even if the approach is used.

2. I have seen lots of applications which write some Server side Ajax Code to handle Ajax Requests.

Thanks !

• All you (hopefully) expose is the API's interface. This is common enough and no reason for concern assuming that your code is safe. Basically your REST API should not be much different from a normal site, just you return JSON data instead of HTML. Comparing your sample code that's just the same info I get about a web site looking at its URLs. (also there is no reasonable save way to hide your JS code). Of course all the business logic should be kept on the server and be handled by the code that responds to the API requests.

  thorsten müller

  – thorsten müller

  07/10/2016 13:16:36

  Commented Jul 10, 2016 at 13:16
• On a related but side note, I'd change the name of storezillaadminapp to something more readable if possible. camelCase (i.e. storeZillaAdminApp, maybe something shorter), would work wonders.

  grooveplex

  – grooveplex

  07/10/2016 13:36:12

  Commented Jul 10, 2016 at 13:36
• @thorsten müller Thanks ! your answer sounds more convincing. Now here is a scenario wherein i am putting REST URI's in Js file and on the more the Angular Routing part in Js files too. One can easily take those url and call it from external tools rather than from applications itself. But on the second thoght i feel that there's no other way to protect your API url's from external world.

  Mitesh Manani

  – Mitesh Manani

  07/10/2016 13:40:09

  Commented Jul 10, 2016 at 13:40
• You should never assume that if you have a publicly facing API that you are protecting that API by not making the client code easily visible. Someone could just find your server on the internet and start sending requests to it and seeing what happens. If you want to restrict access to the server you should always implement authentication and authorisation on the server, whether the client code is in a easy to read JS script or in a hard to read compiled C++ library.

  Cormac Mulhall

  – Cormac Mulhall

  07/11/2016 08:56:28

  Commented Jul 11, 2016 at 8:56

1 Answer 1

Start asking to get answers

Find the answer to your question by asking.

Explore related questions

See similar questions with these tags.