When building a webapp, I’d like form data / interaction to be all driven by AJAX APIs. However, a lot of these APIs would be retrieving data objects (JSON) and I’d really only like my web app to use them. Is there any way to architect the API in such a way that only my website can call it? It feels like it would be a losing battle.
For instance, I could check if the domain making the request is mine, but a host header can be spoofed.
jsonp doesn’t solve it for me since someone could just write a service in Java or something to make requests outside of a browser sandbox
I’m thinking there might be something with security tokens and generating one, but I feel like any real measure I take can be spoofed by a clever scraper.
You’re right to say that it’s a losing battle. If you give protocol code for your client to run legitimately, then your client can run the code illegitimately as well.
So in that light, I think your only defense is obfuscation. There are two parts to it: making the code hard to understand so that an attacker cannot use the code, and making the protocol hard to understand so that the attacker cannot use an HTTP protocol analyzer.
Disclaimer: I am answering how he/she can hide the AJAX API, not answering whether it’s moral/ethical to do so.