I have a REST API that can potentially serve multiple web clients.
I want to ensure that only my single page app on my-one-and-only-web-cleint.com can make requests to my API. How do I do this?
Right now there isn't much to stop someone from copying the source of my website and act as a copy of my single page app on my-one-and-only-web-cleint.com.
Only check I have right now is:
- On server side: I check for request header's origin and only allow requests from my-one-and-only-web-cleint.com
But my understanding is that you can manually change the header, so this check can be bypassed.