how to return error message if the users call the ajax from othere than my webapp.
9 views
Skip to first unread message
nullvoid
Jan 20, 2016, 9:23:50 AM1/20/16
to Django users
Hi,
i am currently working on a project, in that project i written a api there is no user authentication stuffs anyone can access and there is some ajax call, when the ajax call happen my view will return a api output to the user. Is there any way user can call the api other than from my webapp(actually i did it in dev console in browser) if possible pls suggest some way to avoid the ajax call from out side of the webapp.
i am currently working on a project, in that project i written a api there is no user authentication stuffs anyone can access and there is some ajax call, when the ajax call happen my view will return a api output to the user. Is there any way user can call the api other than from my webapp(actually i did it in dev console in browser) if possible pls suggest some way to avoid the ajax call from out side of the webapp.
James Schneider
Jan 20, 2016, 5:25:54 PM1/20/16
to django...@googlegroups.com
On Wed, Jan 20, 2016 at 1:33 AM, nullvoid <janandh...@gmail.com> wrote:
Hi,
i am currently working on a project, in that project i written a api there is no user authentication stuffs anyone can access and there is some ajax call, when the ajax call happen my view will return a api output to the user. Is there any way user can call the api other than from my webapp(actually i did it in dev console in browser) if possible pls suggest some way to avoid the ajax call from out side of the webapp.
CSRF protection would be your friend in this case, and would act as a rudimentary gatekeeper to keep non-browser calls at bay. However, that wouldn't stop someone from pulling down the web page, grabbing the CSRF token from either the page itself, or from the session cookie, and then using that to make calls. But if they go to that length, do you really care at that point?
Without any sort of authentication mechanism, I'm not sure why you'd expect to be protected from random external API calls if your site is publicly available.
Also, what exactly are you trying to protect? Your server likely doesn't know/care whether the API call is generated by a browser or from a CLI command. If it's that important, implement user authentication or API key authentication so that you know who is accessing your resources. But even so, granted that you want them to only use the web application, any decent programmer with enough motivation is going to figure out how to make the calls in a programmatic fashion, since that's really all your JavaScript AJAX calls are doing under the hood.
You didn't mention how you were developing this app, but if you are using the Django REST Framework, both CSRF protection and authentication are built-in and easy to implement. I'd imagine django-tastypie is similar.
TL;DR; Implement CSRF protection first in your web app, and then implement authentication if you still aren't happy. That'll get you >95% of the way.
-James
Reply all
Reply to author
Forward
0 new messages