I really love the idea of separating backend from frontend. In my case I’m currently playing around with that topic using nuxt.js for the frontend part and serverless with lambda / API gateway for the backend. But today I came up with a security issue with that kind of architecture and maybe you can help me with that.
When we use this pattern of having a SPA and requesting all information via APIs we should think about securing our endpoint. For private endpoints it’s not that easy but possible. We can’t use a simple API token here because we can’t store that token in a secure way in our SPA (it is executed on the clients machine). But after logging a user in we can use JWT for example and then adding an authorizer to the corresponding lambda function that checks the JWT on each request. As I said, not simple but possible.
But then I came up with public APIs. If we have an eCommerce shop for example. For sure, every visitor is able to see our products without logging in. So the SPA calls a public API endpoint that returns all products. If a visitor now checks the XHR requests they will be able to get the same response using postman for example. So how can we protect it?
On a PHP app we are getting our data and then the page gets rendered. Even if we would use a backend like express here that won’t make a difference, because the visitor can still request data from that endpoint, right? Do you have any idea how we can secure public endpoint from being used by everyone? Sounds weird because that is why they named PUBLIC endpoints, I know.