current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
stack overflow careers
Sign up ×
Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute:
up vote 5 down vote favorite
1

I've been working on an e-commerce project built on Symfony2 (for the backend) and AngularJS for the frontend. Currently the Symfony part is used only as an API, which has three different user levels (guest, customer & admin). Different actions that can be done within the system (like add/remove data) are secured by:

1) Symfony2 firewall with user roles/access control
2) JMS security extra (@PreAuthorize expressions)

For the parts that are secure everything works as intended and I'm very happy with the way things work.

Problem:

There are parts of the API which are public (like retrieving product information, categories, etc.). I'm retrieving such data in Angular with Ajax calls to my API that returns the data in JSON format. One example would be:

/api/product/get-all/?page=1&count=10&sorting[id]=asc

The problem is that anyone could look at the requests in browser and copy the path and have access to all the data (such as all the products) and could just download a JSON of all the information. Although this data is "public", I don't want to give others such an easy way of "stealing" my data.

Ideas & possible solutions:

1) I was looking at the JWT (Json Web Token) standard to try and secure the public calls to my API and implement it in such a way that I generate a token for "real" users that are on the website, and such limit direct access to public API links.

What do you think? Would this be a possible solution?

2) I was also reading in some other question on StackOverflow that I could check the HTTP_X_REQUESTED_WITH header from the request, but we all know this can be easily spoofed by an attacker.

3) Finally, I read a similar approach to "solution" 1) here : http://engineering.talis.com/articles/elegant-api-auth-angular-js/ but I'm not entirely sure that this fits my purpose.

Additional notes:

  • I don't want to make this bullet-proof, but I also don't want to give people the option to click 2 buttons and get all my data. I know that eventually all the information can be "stolen" (e.g.: by using a web scrapper), but "securing" the system in such a way that people would have to make a bit of an effort is what I have in mind.
  • I can't really re-model my API too much at this stage, but any ideas would be appreciated

Thanks for taking the time to read my question and I'm looking forward for any feedback.

share|improve this question
    
You cant really protect public data, because you want the public to be able to see that data. You can try to make it more difficult to get all of the data, but thats all. Just accept that public data is public, and invest your power in better, productive things. – smat88dd 2 days ago

2 Answers 2

up vote 0 down vote

You could try something like:

  1. To access the site anonymous users first need to fill in the captcha to get temporary token.
  2. Add referrer check on.
  3. Limit amount of data anonymous users can view. For instance, first 50 products.

This way everyone who wants to steal your data first need to get anonymous temporary token by filling in the captcha and change referrer.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.