Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can you secure a JavaScript application's API calls?

Tags:

I have a JavaScript application.

It's built with jQuery.

It uses $.get() to pull JSON data from a server, and uses the data to load a puzzle.

I want to distribute the JavaScript application to clients, and make it easy for them to install.

I'd like it to simply give them a JavaScript block they can drop into their page, and it will interact with my API.

I'm not passing sensitive data, any my API is protecting the database from SQL injection, etc.

I just want to try to prevent unauthorized use of my API, and I can't think of a way to do that with JavaScript, since anyone with a DOM inspector can scrape any credentials from any variables or can monitor any server traffic POST or GET data...

Would it be possible to authenticate the referrer on the other side?

I know that's not bulletproof, but it's not sensitive data. I just want to reduce the unauthorized use as much as possible..

Any ideas?

note: I know obfuscating an API key or something is futile, I'm wondering what other controls I could put in place other than a traditional key to identify the caller to the API.. I have full control over the API itself so I could do anything on that side of things...