There is a master web application that needs to call REST APIs from servers of other applications. I can think of two ways to achieve it:
a). call APIs on the front-end of the master application(javascript)
// javascript code of master application
$.ajax(api_server1_url,{
...
})
b). call APIs on the server of the master application
// backend code of master application
call_api(api_server1_url)
Both a and b return json result for further user in master application.
If I have the access to the code and servers of all the applications mentioned above, is option a or option b a better practice security-wise?
very new to the security, but I'll list what I know(not much..): a has cross-site-scripting vulnerability. I think it's possible to eliminate or limit it by changing code on API applications, but it will take effort.
That's why I prefer option b. Though code on API servers still need to updated to prevent attack, but it should be easier than option a. Only allow the ip of master application to access the API servers should be sufficient.
So my question is:
Is my assumption about b is better a right? If not, what security measurement do I need to implement on API servers?
Thanks for any input.