We're currently developing a site that uses a simple JSON API (RoR) to populate the page. The data is public to clients but key to our service and we want to make sure that our competitors aren't leeching our data. What methods do you use to verify that AJAX requests to an API are legitimate?
+1
A:
Re:
What methods do you use to verify that AJAX requests to an API are legitimate?
I make them login first. HTTP requests via Ajax include the cookies, so session-based authentication works fine with Ajax requests.
So the user logins in. Then the page makes the Ajax request to get the data. The Ajax api checks for a valid session before responding with the data.
Larry K
2010-06-06 02:45:55
That's an interesting approach. As I said, it's a public site (no login needed), but I might implement a cookie anyway, to at least make it harder for them to implement a server-side bot.
Bloudermilk
2010-06-07 03:28:11
If the site is public then all of the data is available (to anyone). If you want to limit the data access to your "clients" vs your "competitors" then you'll need some way to differentiate them. You'll also want clear TOS (terms of service) but TOS are only a real help when and if you get to the point of suing a competitor. No amount of obfuscation will work against a motivated competitor who wants to suck data from your site.
Larry K
2010-06-08 15:45:08