How to check that a request is specified from a specific web application
So I have a web API for my (javascript) web application. The app is wrapped in Cordoba and is available for iOS and Android.
I would prefer to restrict access to the data (so that third parties don't use my API). But how can I do this? I do not require (and do not want) the user to create an account, so the application must somehow make sure that the application is sending the request and not someone else.
But how?
source to share
I would prefer to restrict access to the data (so that third parties don't use my API). But how would I do it?
...
the application must somehow make sure that the application is sending the request and not someone else.
...
But how?
What you are asking for is impossible. This is also the wrong problem to solve.
Further reading: Client authentication is not a server issue
source to share
You can't be 100% sure, but you can do reverse engineers for this.
- use tls ao, they can't easily view your protocol with a sniffer
- Don't use just one api key, make the key a function of the set of values ββpropagated through the application along with the actual user data.
- consider using the tls key sent by the server as part of the api key function, so everything breaks minusculely if they decrease the tls
- use meaningless field names in api
- frequently push updates that change the api system
source to share