Securing a JavaScript-only client to access remote API
https://stackoverflow.com/questions/10035832
-
29-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Perhaps I'm asking for something impossible, but here we go: I'm trying to find a way to authenticate client requests to an API, but some clients can only use JavaScript to send their requests (they use hosted services which don't allow to write a single line of server-side code). This means that any API Key, secret or hash has to be handled by JavaScript, effectively making them useless.
I've seen some APIs using a heavily obfuscated code, but, in my opinion, such approach gives a false sense of security (it can be easily read with JavaScript Beautifier). Is there any better approach?
Thanks in advance for all the answers.
Solution
No, JavaScript is open, which means zero security.
The most sensible thing to do is proxy the API through a server you own, then get people to sign up to the server with their keys.
This means even though they can't have any server-side code, it's ok, because your hosting the server for them.
OTHER TIPS
There really isn't a way to do this entirely with JavaScript. The only option I have ever used is limiting by IP addresses or some other form of authentication for the JavaScript clients. After authentication/authorization then pass them over HTTPS their secret key that only remains with the client for a bit (i.e. not stored anywhere).
The disadvantage is that a smart, malicious user could pretty easily debug into the JavaScript and ascertain this key.
