Symfony2 RESTful API + AngularJS

Question

I've been working on an e-commerce project built on Symfony2 (for the backend) and AngularJS for the frontend. Currently the Symfony part is used only as an API, which has three different user levels (guest, customer & admin). Different actions that can be done within the system (like add/remove data) are secured by:

1. Symfony2 firewall with user roles/access control
   
2. JMS security extra (@PreAuthorize expressions)

For the parts that are secure everything works as intended and I'm very happy with the way things work.

Problem:

There are parts of the API which are public (like retrieving product information, categories, etc.). I'm retrieving such data in Angular with Ajax calls to my API that returns the data in JSON format. One example would be:

/api/product/get-all/?page=1&count=10&sorting[id]=asc

The problem is that anyone could look at the requests in browser and copy the path and have access to all the data (such as all the products) and could just download a JSON of all the information. Although this data is "public", I don't want to give others such an easy way of "stealing" my data.

Ideas & possible solutions:

1. I was looking at the JWT (Json Web Token) standard to try and secure the public calls to my API and implement it in such a way that I generate a token for "real" users that are on the website, and such limit direct access to public API links.

What do you think? Would this be a possible solution?

2. I was also reading in some other question on StackOverflow that I could check the HTTP_X_REQUESTED_WITH header from the request, but we all know this can be easily spoofed by an attacker.

3. Finally, I read a similar approach to "solution" 1) here : http://engineering.talis.com/articles/elegant-api-auth-angular-js/ but I'm not entirely sure that this fits my purpose.

Additional notes:

• I don't want to make this bullet-proof, but I also don't want to give people the option to click 2 buttons and get all my data. I know that eventually all the information can be "stolen" (e.g.: by using a web scraper ), but "securing" the system in such a way that people would have to make a bit of an effort is what I have in mind.
• I can't really re-model my API too much at this stage, but any ideas would be appreciated

Thanks for taking the time to read my question and I'm looking forward for any feedback.

Answer 1

You can limit the abuse of your system in a number of ways, including:

• Limit the total number of requests that API will return before requiring CAPTCHA or some other validation method. This can be limited by IP, browser fingerprint, authentication token, etc.

• Make it difficult for abuser to guess IDs of products, categories, etc. by using GUIDs or other randomly generated IDs.

• Use API management proxy such as Azure API Management for more enterprise level management of the APIs (http://justazure.com/azure-api-management-part-one-introduction/)