Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a web app with a JSONP API I’m using with my iPhone app. How do I secure this so requests from other places won’t be able to access my API?
Clarification: My data isn’t that important. You don’t even have to sign in to view it. I just don’t want by my database to work on queries from other sources.
You have embarked on a very very complicated subject. Prepare yourself for some very long nights of reading various cat and mouse techniques of securing your app. I think your best bet is to put a secret string in the header of each request. Something like this:
Secret-Header: #$F@FQAFDSFE#$%#ADSF())*
Validate that header on the server side and use SSL. Someone could easily respond to this post with “Well that doesn’t stop this, this and this” and they will be right. The question is, are you a bank that is worried about someone draining your client’s accounts? Or are you just worried about 99.9999% of the population not being willed enough to hijack your junk?
Some people have all kinds of opinions on this, but if your users require authentication to access the web services, just require the username and password to be sent in the header via SSL. They can still hijack your services, but wouldn’t be able to see anything that they weren’t supposed to anyway. That only works on a user level type of setup though. If it’s completely public, you have to consider how unimportant your data is. It may not be as important as you think.