How to prevent arbitrary client apps from using anonymous web API?

by

You can’t prevent people from copying your client code or replaying network traffic.

Thanks to the same origin policy, other web apps can’t access your API from the client. They will have to proxy their requests via the server, meaning these requests will come from a handful of easily identified IP addresses, which you can temporarily blacklist.

As for desktop and mobile apps, there’s not much you can do. My advice is to not worry about them until they’re a problem.

That said, it doesn’t hurt to be prepared. If you want to avoid expensive legal battles, one thing you can do is change your API method signatures from time to time. Leaching apps can be fixed, but their reputation will steadily decline.

More Related Contents:

  1. How do I secure REST API calls?
  2. PHP Session Security
  3. How do I create a self-signed certificate for code signing on Windows?
  4. Best practices when running Node.js with port 80 (Ubuntu / Linode) [closed]
  5. Non-random salt for password hashes
  6. Prevent PDF file from downloading and printing
  7. JWT refresh token flow
  8. Cross Domain Login – How to log a user in automatically when transferred from one domain to another
  9. Where do you store your salt strings?
  10. How can I throttle user login attempts in PHP
  11. Why is using a Non-Random IV with CBC Mode a vulnerability?
  12. Best Practices: Salting & peppering passwords?
  13. Is it safe to put a jwt into the url as a query parameter of a GET request?
  14. What’s the right OAuth 2.0 flow for a mobile app
  15. How do I store and retrieve credentials from the Windows Vault credential manager?
  16. MVC 6 Bind Attribute disappears?
  17. What is the most secure seed for random number generation?
  18. Moving old passwords to new hashing algorithm?
  19. Best way for a ‘forgot password’ implementation? [closed]
  20. Should JWT be stored in localStorage or cookie? [duplicate]
  21. Is it worth encrypting email addresses in the database?
  22. WS on HTTP vs WSS on HTTPS
  23. Is there a way to force apache to return 404 instead of 403?
  24. RSA signature size?
  25. Keygen tag in HTML5
  26. How to send password securely via HTTP using Javascript in absence of HTTPS?
  27. My website got hacked.. What should I do? [closed]
  28. Remember me Cookie best practice?
  29. AccessController.doPrivileged
  30. buffer overflow example from Art of Exploitation book

Leave a Comment