1👍
There’s a great answer on RESTful Authentication that can really help you out. These principals can be adapted and implemented in django as well.
The other thing you can do is take it one level higher than implementing this in django but use your webserver.
For example I use the following in my nginx + uwsgi + django setup:
# the ip address of my front end web app (calling my Rest API) is 192.168.1.100.
server {
listen :80;
server_name my_api;
# allow only my subnet IP address - but can also do ranges e.g. 192.168.1.100/16
allow 192.168.1.100;
# deny everyone else
deny all;
location / {
# pass to uwsgi stuff here...
}
}
This way, even if they got the URL, nginx would cut them off before it even reached your application (potentially saving you some resources…??).
You can read more about HTTP Access in the nginx documentation.
It’s also worth noting that you can do this in Apache too – I just prefer the setup listed above.
1👍
This may not answer your question, but there’s no way to hide a web request in the browser. To normal users, seeing the actual request will be very hard, but for network/computer savvy users, (normally programmer who will want to take advantage of your API) doing some sniffing and finally seeing/using your web request may be very easy.
This you’re trying to do is called security through obscurity and normally is not very recommended. You’ll have to create a stronger authentication mechanism if you want your API to be completely secure from non authorized users.
Good luck!
- [Answered ]-Django nose test, How to initialize a setup before any tests
- [Answered ]-Difference among Mongoengine, flask-MongoEngine and Django-MongoEngine?
- [Answered ]-Django: Why is my jQuery POST url changing when it hits the server?