On Wed, Jan 20, 2016 at 1:33 AM, nullvoid <janandhamoor...@gmail.com> wrote:
> Hi, > > i am currently working on a project, in that project i written a api there > is no user authentication stuffs anyone can access and there is some ajax > call, when the ajax call happen my view will return a api output to the > user. Is there any way user can call the api other than from my > webapp(actually i did it in dev console in browser) if possible pls suggest > some way to avoid the ajax call from out side of the webapp. > CSRF protection would be your friend in this case, and would act as a rudimentary gatekeeper to keep non-browser calls at bay. However, that wouldn't stop someone from pulling down the web page, grabbing the CSRF token from either the page itself, or from the session cookie, and then using that to make calls. But if they go to that length, do you really care at that point? Without any sort of authentication mechanism, I'm not sure why you'd expect to be protected from random external API calls if your site is publicly available. Also, what exactly are you trying to protect? Your server likely doesn't know/care whether the API call is generated by a browser or from a CLI command. If it's that important, implement user authentication or API key authentication so that you know who is accessing your resources. But even so, granted that you want them to only use the web application, any decent programmer with enough motivation is going to figure out how to make the calls in a programmatic fashion, since that's really all your JavaScript AJAX calls are doing under the hood. You didn't mention how you were developing this app, but if you are using the Django REST Framework, both CSRF protection and authentication are built-in and easy to implement. I'd imagine django-tastypie is similar. TL;DR; Implement CSRF protection first in your web app, and then implement authentication if you still aren't happy. That'll get you >95% of the way. -James -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2Be%2BciXH5kR1bU6FJJFEGHP7d_AcroKhzTOnLAE02RTKtYtyrg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
