2

I have been looking at backbone.js/spine.js and I like the idea of just setting up a REST api and putting all of the logic in the client. But is there any way to secure the REST api when using ajax model persistence? Or can someone just look at my source and deduce all of the api endpoints?

Mantas Vidutis
  • 16,376
  • 20
  • 76
  • 92

3 Answers3

2

There is no way to make the browser see something that no one else can see. So you will show your API endpoints to an attacker.

The trick is instead to authenticate all API calls, and make sure that you don't save the keys for that authentication in your Javascript. I tend to use the username and password of the logged in user for authentication, and it has worked great together with backbone.js. I just store the username and password with store.js, and send it along with any ajax call against the API.

Note that this should be done over HTTPS.

Emil Stenström
  • 13,329
  • 8
  • 53
  • 75
  • This is by design a very unsecure method. If you send the username and password along with a simple GET-request, anybody (sniffing) can just read it and pretend to be that user herself. – nathanvda Jan 22 '12 at 16:30
  • @nathanvda: We do it over HTTPS of course, clarified my response. – Emil Stenström Jan 23 '12 at 11:08
  • Essential indeed. Still, why not use some kind of authentication token or session-id? No need to store username and password on the client, which could be potentially unsafe. And the authentication-token/session-id are by definition short-lived, thus safer ... – nathanvda Jan 23 '12 at 19:20
  • @nathanvda: I'm not saying what we built was perfect. Using token or session ID auth is one more step, one more thing to build. With just basic auth against the API you don't need to change anything on the server-side, and that was a win in this case. Security is always a trade-off. – Emil Stenström Jan 23 '12 at 22:31
2

Normally you will have a simple login which can set a session cookie. This session cookie will be send with every call to your API an verify that the user is loged in. Sure every one can deduce all your endpoints, but he cant use it without the authentication.

Andreas Köberle
  • 106,652
  • 57
  • 273
  • 297
1

They wouldn't even have to look at the source - a simple tool like Firebug could simply list all the requests your script makes.

However, consider this: is opening up the data really a big issue?

Client-side scripts will always be a security risk. Even C++ applications can be cracked and their endpoints revealed.

Of course, don't ever send stuff like bank information to the browser.

Tom van der Woerdt
  • 29,532
  • 7
  • 72
  • 105