Preventing unwanted ajax requests to a low-level REST API
Posted: Sun Jan 01, 2012 10:16 am
Let me start by saying that I'm self taught, and thus, while I consider myself a fairly advanced programmer, I'm fairly lacking in knowledge on security.
I'm developing a REST API that for now only processes and serves information if the request comes from the same domain as the server. I'd like to be able to limit any requests to this API to ones that come directly from programmed JavaScript, and prevent any requests that are run from, for instance, the console, or from JavaScript typed into the URL bar.
I've read about using tokens generated server-side, passing them as a JavaScript variable, and then sending them along with the AJAX request, but if I were really trying to abuse the system, I would just go into the page source, find where the variable is set, and then use that token in an abusive request.
What am I missing in this process? How can I truly ensure that a request is valid? Should I rethink my approach?
Thanks.
I'm developing a REST API that for now only processes and serves information if the request comes from the same domain as the server. I'd like to be able to limit any requests to this API to ones that come directly from programmed JavaScript, and prevent any requests that are run from, for instance, the console, or from JavaScript typed into the URL bar.
I've read about using tokens generated server-side, passing them as a JavaScript variable, and then sending them along with the AJAX request, but if I were really trying to abuse the system, I would just go into the page source, find where the variable is set, and then use that token in an abusive request.
What am I missing in this process? How can I truly ensure that a request is valid? Should I rethink my approach?
Thanks.