-1

I'm working on an application which can be added to third party websites. This means that this app runs in the browsers of the users of a third party and I don't have control over what runs in their server.

My problem is that my app needs to load data from my own server. How can I secure my server so it does not leak data to malicious users who try to scrape my database though the REST endpoints of my server?

I can't use whitelists since the user can be anywhere. Currently I use hmacs but this will only stop script kiddies from disassembling the client code and sending their own encrypted messages.

Is there a best practice for this problem?

Hexworks
  • 115
  • 1

1 Answers1

2

Might be a better question for Information Security.

As you imply, you need to assume that the client is untrusted. Hackers will not bother disassembling your code they will just sniff the communication, and reverse engineer that (along with any tokens).

You can control sessions, and how much and what kind of data any particular session can give out, but there's no way to force this to go to your client.

Egret
  • 414
  • 2
  • 7