It’s impossible to secure the browser!

If you are exposing an endpoint to your front end on the public internet then it can be called at any time. There is no way to ensure that the call came from a browser. The only sane approach is to assume that any endpoint that you are exposing to the browser is a public API and should be treated as such (with the exception of ensuring backwards compatibility – private API’s are still subject to change/retirement without notice).

This also means that any javascript that you embed in the page and download to the browser will include a map of your exposed backend services and examples of how to authenticate and use it. Obfuscation will only go so far – the urls struct that you send out will be included in the messages.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s