8

I'm writing a javascript plugin which will be installed by bloggers/website owners. It will communicate with my remote API.

I'm wondering how to secure the API to ensure that only domains owned by users that have registered an account with the service can access resources from the API. I've read up on OAuth2 and understand the basics, but because the plugin will run from within the browser and not from server to server, i'm not sure how secure this can be.

Tons of services like mixpanel, google analytics, olark use the same concept (i.e. website owner install a line of JS on their site) so it must be a solved problem.

Improve this question
4
  • What exactly are you trying to prevent? Commented May 15, 2012 at 15:29
  • Trying to prevent people from accessing data they shouldn't have access to, e.g. me accessing the google analytics data of a site I don't own or control. Google does this, but how? using OAuth? Commented May 15, 2012 at 15:37
  • No; Google does not do that. The Google Analytics script does not give access to any data. Commented May 15, 2012 at 15:40
  • To answer your apparent question, you can use any login system. Commented May 15, 2012 at 15:40

1 Answer 1

Reset to default
4

You can insert window.location checks into your script to prevent other people from including it directly off of your servers.

However, it is impossible to prevent people from downloading the scripts locally, removing your protection, then hosting it themselves.

You can require an API key in all server-side requests, but enemies can easily steal API keys from legitimate sites.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

The script would be pretty much useless though without communication with my API. Sorry my question is a bit vague i'm just a little confused how the services I mentioned have gone about implementing this.
None of the services you mentioned can return any information.
SLaks hit it on the head. GA and Mixpanel widgets only send data, and there's nothing preventing any site from using a given GA key to record data except that they then can't access the data in question (and it's easily filtered for the legitimate user). In the Olark case, data does come back (i.e. messages from the operator), but it's session-specific and not authenticated-user specific, so the same thing applies (I'm an engineer for Olark, and we don't do any sort of URL verification because it would ultimately be useless for the reasons SLaks mentioned).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.