I am building a single-page(React-Redux on FE, Rails-API BE) application which makes a bunch of REST API calls to get certain information for logged-in users. Some subset of that information (categorization database) is more confidential than other information. Our aim is, to make it as hard as possible for that data to be easily gleaned from the API response or be scraped.
Based on my research, I understand that there is no method which makes it 100% possible to secure the data but I would like to make it as hard and frustrating as possible without negatively affecting the UX. We are also more concerned about the fact the information is essentially plain JSON when it comes from the server to the client which is far easier to exploit than scraping (since the UI in this case isn't the easiest to scrape).
So far, based on my research, it seems like I should do the following -
Use TLS/SSL for API calls that prevents man-in-the-middle attacks, and encrypts data in-transit. But this doesn't solve the problem of a malicious end-user.
To do that, we are going to do some rate-limiting on the API, and we can also temporarily suspend users/scrapers who are show up as 'bots' in the logs (since they are all logged-in). But that can be defeated just by malicious users appearing as more patient users.
The best thing, it seems that I could obfuscate the API response in two ways:
- Obfuscate response keys or use which doesn't give away data as easily.
- Send encrypted response from the server which javascript decrypts using a key which itself might be obfuscated in the code. This way, the data wouldn't be visible in the Developer Tools or to anyone else making the API call.
So, my question, is the last point above (the second point in (3) encrypting responses) an effective way to achieve my goal? And if yes, what are some things I should keep in mind for the same?
While I understand that none of these methods are foolproof, I would like to better understand the best practices for such use-cases. Any thoughts or ideas would be much appreciated!
Thank you!