Menu
Is it possible to hide my REST URL that I using via AJAX to populate page data? I don't want others taking and consuming from my REST API, but need to use it to display content in my site.
How do I hide my REST API URLs from the end user?
311
I found a solution to hide base url to keep api secured with NDK. Keep base64 encoded string inside cpp file and call that from java class and decode base64. Include c++ (NDK) support to your project. You can include this to your new or old project.
Under REST principles, a URL identifies a resource. The following URL design patterns are considered REST best practices: URLs should include nouns, not verbs. Use plural nouns only for consistency (no singular nouns).
It's not possible to hide the URL From the end user in JavaScript. They can simply open up the Network panel in Chrome, or just turn on Fiddler to see it.
In your particular case, the only real way you can hide the URL from the user is to proxy the REST call to your API from your server-side code.
If you must use JavaScript, you can always create and use APIKeys and simply monitor their usage and terminate API Keys that are taking up too much bandwidth; but again -- this isn't going to stop someone from being able to use your API, it'll just let you know when you receive an unexpected amount of traffic from unexpected places.
You could take it further by cycling API keys every day, so if someone wants to use your API; they have to change their code every day -- but again, this won't stop someone, just slow them down.
The only fullproof way is the way I mentioned in my first paragraph -- but that can't be done from client-side JavaScript alone.
What I wrote holds true, even for Single Page Applications (SPA); though you can hide the URL in the address bar by having different routing for your client-side application than your server-rendered pages.
The user can still inspect the traffic in their browser's console to check where the requests are going (there's no getting around that), but you can at least display different paths in the address bar.
171
Not really. The page needs to have access to the URL in order to use it, and this gets you into the age-old problem of showing somebody something while hiding it from them at the same time. Modern browsers with built-in debugging tools compound the problem: even if you encrypt the URL, there comes a point where you will have to decrypt it in order to use it, and debuggers can jump in at that point.
Is there a particular reason that you're concerned about others using the API? There isn't really a way to prevent others from finding the URL, but there may be other ways to achieve your goal.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
