I have created a simple REST api for my application using node/ express. I am using AngularJS on the front end to serve pages to the user.
I would like to add functionality such that the API can only be accessed via my front-end and anyone should not be able to do a GET/POST request to my site and get the data?
What strategies can I use to achieve this?
-
Using authentication middleware? Passport, for example.raina77ow– raina77ow2014年04月30日 16:29:37 +00:00Commented Apr 30, 2014 at 16:29
-
I couldn't quite understand how to integrate that into my solution as I am don't want to use password etc..dopplesoldner– dopplesoldner2014年04月30日 16:49:54 +00:00Commented Apr 30, 2014 at 16:49
-
1You don't have to use password etc.; there are different auth strategies.raina77ow– raina77ow2014年04月30日 16:52:19 +00:00Commented Apr 30, 2014 at 16:52
-
Ok did some reading, github.com/jaredhanson/passport-anonymous looks like this could help me. Am i correct?dopplesoldner– dopplesoldner2014年04月30日 16:58:32 +00:00Commented Apr 30, 2014 at 16:58
-
This thread may help you: stackoverflow.com/questions/15496915/…Carol Skelly– Carol Skelly2014年04月30日 17:53:04 +00:00Commented Apr 30, 2014 at 17:53
1 Answer 1
HTTP request can be formatted and sent to sever by many other means beside a browser (curl for example), so any server always detecting correct source of a request is not guaranteed.
The basic method to protect an endpoint would be to use some kind of authentication. The requesting client must present something uniquely identifying it. API should provide clients a token after it proves itself authentic (via login etc), and all subsequent requests would be checked for this token.