
Ask HN: How do I ensure access to my API only from my webapp - sharmi
Hi,
I want to ensure that a particular api&#x2F;URL is accessed only by my web app and all other origins are denied. My server is not very powerful and cannot handle large volumes of crawlers and I would like to secure the data. Unfortunately I cannot verify users. What is the best way to secure it?
======
niftich
Where is this app running? Is it only on devices you control, or is it running
on devices you don't control (i.e. users' phones, computers, etc.)?

If it's running only on devices that are fully in your control, the solution
is easy: make the app authenticate with your API using a large,
cryptographically secure-random secret key [1].

But if it's the latter, what you're asking for is generally not possible. A
competent actor can reverse-engineer your app to extract any API keys or
secrets or other tokens that you'd embed it your app, and thereby masquerade
as your app [2]. But, as with nearly everything, it's a trade-off. Obfuscating
your secret may cut down on the amount of casual requests to your endpoints,
but treat this as a developer convenience, and not as a security mechanism.

[1]
[https://www.owasp.org/index.php/REST_Security_Cheat_Sheet#Au...](https://www.owasp.org/index.php/REST_Security_Cheat_Sheet#Authentication_and_session_management)

[2] [https://rammic.github.io/2015/07/28/hiding-secrets-in-
androi...](https://rammic.github.io/2015/07/28/hiding-secrets-in-android-
apps/)

