Sorry if it has already been said and answered; I have looked around a herd, but in reality I did not find what I was asking.
-
-
Assume that the non-documented Web API, such as XHR or JSONP, to bring private and data into my web app.
-
Also assume that this web app is anonymous - it does not require user login.
Since communication between client and server, anyone can point to Fidler, etc. To see the exact request and response, not to inspect JS code with customer-side.
In this case, in case you use any of your APIs in non-web customer AP How can you stop? Such as an iPhone app, or server-side.
For my understanding, the point # 2 removes the option of something like OAuth, and the point # 3 removes the option of an API key or even the SSL.
I have thought about things like time-based tokens or secret salts that are injected into the page on the first load, but an iPhone app can be easily loaded before loading your webpage. API's request
So there is no other way than just plain ambiguity - security through security?
-
If everything is very abstract, then here is a simple example:
Google.com receives its complete data through some APIs Which is private and unreadable - but is open on the Web Do I have to stop using it in my iPhone app?
You can not stop people from making your own copy Client code or network traffic to resume.
Thanks, other web application customers can not access your API. They will have to proxy their requests through the server, which means that they can be easily identified by an easily identifiable IP address, which you can temporarily blacklist.
For desktop and mobile apps, do. My advice is not to worry about them, unless they are a problem.
He said, it is hurt to not get ready. If you want to avoid expensive legal battles, then whatever you can do, your API method will change the signature from time to time. The linking app can be fixed, but their reputation will be reduced continuously.
Comments
Post a Comment