How can I create and use a web service in public but still restrict its use to only my app?

Question

I'm creating a web service with create/update/delete calls. But for now I'd like to restrict use of it on my own web app and no other clients. How can I have clear text javascript code that makes these calls but still be confident the credentials won't be used elsewhere?

My idea is to use server side generated nonces for each request. But I am open to different ideas you guys may have. Thanks.

Answer 1

• You could use the firewall on front of your webserver to filter out based on MAC
• Yet simpler, collect the credentials (authentication token) with a dynamic dialog box (javascript is very rich on creating UI dynamically)

Answer 2

Do the users of your web-app have a loginid/password? If yes, then ask them to login, and use standard session management approaches to achieve what you want.

If your users don't have unique account, and you only want your javascript code to make the web-service calls - then it cannot be achieved. Its trivial to sniff the traffic / extract password from javascript.