Hide query string in API call

Question

I am calling a Azure API app from JavaScript. I need to send a parameter to backend via API based on the domain that application executes under (mydonain.org parameter1, for mydomain.com parameter2). However I need to hide this parameter from the users (when users right click and view JavaScript code, they will not be able to see the parameter).

How can I send this parameters from JavaScript to backend via API app and make in invisible for users?

$.getJSON("api/searchItems/" + myparam,
   function (Data) {
   ...
  });

myParam has different values based on where the application executes. if it executes on mydomain.com it is 1 and if it executes on mydomain.org it is 2 etc. but this code is not approved because you can find out what the parameter is and call the api directly.

The API can tell where the request came from - you don't need to tell it. — Reinstate Monica Cellio, Feb 10 '17 at 15:44
Users can always use the developer tools (press `F12`) and see each and every query that goes between client and server. — Erich Kitzmueller, Feb 13 '17 at 08:13

score 3 · Answer 1 · answered Feb 13 '17 at 08:20

This request breaks the golden rule: if it's located at the client then no matter how much you try the client will be able to find it, period.

You do have a couple options and this is subjective since not a lot of detail has been given.

First you can hash the domains though clients will still be able to easily inject their own JavaScript code and determine what domain you're hashing.

Secondly are you validating the client data at the server? Do you have way to associate a domain with something such as a session (which is not effectively a 100% guarantee itself) and reject spoofed domain requests?

I'm not sure offhand what, if any, security concerns there may be with passing a domain name as a string. I presume this is not in conjunction with a form (perhaps viewing data on a specific domain out of a list).

Lastly whatever server side programming language you're using should have a method of allowing you to know what the domain name is, presuming you're not requesting information for domain A from domain B.

No I am not sending domain as a string and I will not send the parameter inside JavaScript. So my server code needs to find out the domain and inject the parameter based on it. — user217648, Feb 13 '17 at 09:17
I'm not familiar with Azure. You've not clarified if the client/server/domain relation is domain a is always domain a or if the client and server can mix domains a and b. Additionally there is absolutely no context provided in regards to what goal this would help achieve which may reveal that your current secondary goal may be void to begin with. — John, Feb 13 '17 at 11:52

Hide query string in API call

1 Answers1