What is best way to secure API calls from AngularJS(mobile application) / HTML pages to a Laravel PHP backend?

Question

What is best way to secure API calls from AngularJS(Mobile application) / HTML pages to a Laravel PHP backend?

To be clear, I'm NOT talking about user login authentication.

I'm planning an API based application. I would like to read the JSON data from my API into an page using AngularJS, before any user is asked to sign up or log in.

I need to ensure that only my client front-end can access this data. Is there an existing system to send a token or utilise my secret key, to ensure that only my front-end can access my API? I would also like to be able to revoke access from a specific client or tenant.

What are security options for this set up? I'm thinking along the lines of JWT, CORS etc... This is my first attempt at such an application, so please forgive my ignorance! How to securely access API from Mobile application

Answer 1

You should use CORS and only allow the web application domain to request the API. Then any other request won't have access to the data.

Using a token won't be safe since anybody can access it from your application and use it outside.

Take a look at this package to manage CORS inside Laravel

Answer 2

This is application to application authorization. You could use a protocol such as OAuth2, however there's an interesting way of avoiding such a protocol.

If I were you, I'd go with client-side SSL certificate. The idea is that your client (mobile app) presents a certificate to the web server. Web server tries to verify the certificate. If it verifies it, it sends a parameter to PHP script that it verified you. If not, the parameter is empty or not sent.

Here's a link to a blog post that describes this process.

There are other ways to implement app to app authorization, by implementing secret keys, one time passwords etc. but no approach is as straight-forward and easy as client-side certificate.