Protecting API - JS Frontend and PHP Backend

Question

Iam searching for an good implementation to protect my Backend written in PHP.

Scenario:

Server 1 (www.domain.com) Servers only JS/HTML to the Client

Server 2 (www.domain2.com) Is Running an PHP Server wich is responding to Server 1 with JSON Data (rendered by an Javascript Template engine on Sevrer1).

How can i stop others to grab the JSON Response from Server1? I know i can add somekind of API key but it is stored in JS (everyone can read it), i know i could check if the request is from Server 1 IP, but it is not a big deal to fake such a request.

Talked to a co-worter, looks like there is no other way than using somekind of serverside language on Server 1 (; — opHasNoName
– opHasNoName, Commented Nov 13, 2012 at 13:30

Pranav 웃 · Accepted Answer · 2012-11-13 13:59:25Z

1

Making internal calls from Server1 to Server2 is a solution, not exposing Server1 to the internet, and adding it to a private network might help.

Even if someone works around a way out, you could add validations like making sure that the request origin is from the authorized source (in your case Server2). If the request origin is from another source, simply return without processing.

If you're still paranoid about it, you can always keep adding more mechanisms like hash-based message authentication code

answered Nov 13, 2012 at 13:59

Pranav 웃

8,4676 gold badges41 silver badges48 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Blueboye · Accepted Answer · 2012-11-13 14:11:10Z

1

One thing you can do is to create a session cookie on the server 1 and simultaneously store that session value in the database on server 2. Whenever someone makes a request from server 1 you append the request with the cookie value and send it to server 2 while making API calls. The server 2 serves back the JSON only when the incoming session ID matches with the one stored in the database.

This is not foolproof. Someone can hack the cookies, you will need to clear up the session once the users log out.

The other way, as you mentioned, is using a server side scripting language on server 1.

answered Nov 13, 2012 at 14:11

Blueboye

1,5044 gold badges27 silver badges54 bronze badges

Comments

Ale · Accepted Answer · 2013-06-17 16:38:14Z

1

Why not just create some short-life tokens and share them only server-side, then embed in JS code?

Source

answered Jun 17, 2013 at 16:38

Ale

2,02220 silver badges33 bronze badges

Collectives™ on Stack Overflow

Protecting API - JS Frontend and PHP Backend

3 Answers 3

Comments

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related