1

after reading all the threads on stackoverflow and other platforms, I still wasn't able to find an answer, which satisfies me.

The task: I want to create a single page application (SPA) which receives data from a REST API. In this SPA, NO authentication should be used. It's a public site. But the REST API should only be accessible from people who loaded the SPA from my webserver.

I assume this is only solvable with something on server side like sessions, cookies etc. - otherwise I'm open for your suggestions, solutions etc.

Thx in advance!

Improve this question
8
  • If your authentication is based on the fact that the client should "behave" right, you don't have authentication. Everything a SPA is doing is visible for the user, that's the whole point of moving the communication to the browser, so either you do some kind of security through obscurity or add proper authentication. Commented Jan 13, 2020 at 13:48
  • @Smutje yes but this are not the only arguments for using SPA. With SPA there is 0 server side rendering. I'm searching for a way to develope a SPA with all their advantages but I try to secure my backend system that it will not be able to use without my SPA. Commented Jan 13, 2020 at 13:53
  • Yeah, add authentication? Commented Jan 13, 2020 at 13:55
  • @Smutje I dont want that on a public site a user needs to register or use oauth with e.g. gmail. Commented Jan 13, 2020 at 13:58
  • 1
    Yeah, but this session cookie as it is sent by the Browser is visible for everyone who can open the developer console Commented Jan 13, 2020 at 14:55

2 Answers 2

Reset to default
1

There's no reasonably easy way to do this. You can easily prevent other domains (in browsers) from accessing a an API on your domain (via CORS), but it's significantly harder to prevent scripts from doing this.

The issue lies in 'how do you detect legit browser traffic from a script'. It turns out that this is not easy. You could try to detect 'unusual behavior' as much as possible (for example a large amount of requests in a short time), but this doesn't stop clients that are slower.

Ultimately if people want your data, they will find some way around whatever restrictions you come up with. You should reevaluate this and use one of the following options:

  1. Don't do an SPA and API. Although one could wonder, if the data exists in HTML it can still be crawled.
  2. Add authentication. But obviously this won't help you in any way if anyone can authenticate.
  3. Re-evaluate why you have this restriction. What are you worried about? If you're worried about people taking your data and using it elsewhere, how does only showing it in a browser from 1 domain help with that? If you're worried about copyright theft, why not use a legal approach to this?

I've seen a lot of these types of questions, but in my opinion I haven't yet seen one that has a legitimate good reason to want this. But, maybe you're the first.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thx for your answer. Yea it seems that there is no way to solve my issue when using an REST API and SPA. CORS won't help in this case or it helps as much as the session cookie we discussed in the comments of my start post... Legitimate reasons could be open demos (SPA) for SaaS which should be charged for commercial use (REST API). Example: printing and image files converter, invoice converter to different standarts, ... the list could be soooo long
@DubZ yes but the point is, if you can do it in a web application, you can automate it. This issue is not specific to having a REST API or SPA. Any task a SPA can do, an automated script can do. Any task a non-SPA web application can do, can also be automated. It's the nature of the web. The only way around it is if you control the hardware of the user fully.
I dont fully agree. There are ways like server sessions (not cookie based), captcha, ... or something else which can make things very very difficult
@DubZ yes but you cannot have that protection in the API without also having it in the frontend. That was my point. If you can do it in the frontend, you can do it in the API. If you add a captcha, that is a form of throttling/authentication.
1

I believe I answered my question myself on a comment 30 minutes ago... I think with captcha I'm able to secure the REST API against unwanted access to my REST API

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.