I have some content in AEM and I am planning to export those content into mobile app(react) in headless way. I am using AEM content as service, sling content exporter(Jackson) to export the content.
For example, http://localhost:4502/content/we-retail/language-masters/en/course.model.json will export some content to frontend application(react mobile app). I want to protect this API call and I should return the json response only to my frontend application(react mobile app)
Basically I want to validate who is calling AEM. In this case I want to allow only mobile(react) to call AEM and want reject all others. How do I protect my AEM content ?
The one way I am thinking is to use Apache sling referrer filter in AEM. Referrer filter will reject the request if we are not allowing the mobile app (react ) in "Allow Host". Is this correct way to handle? if there any other best way to handle this? how about using Adobe granite OAuth 2.0 server ?
Please suggest me what are the available option to protect the content in headless.
As you give the App away (and it is based on JavaScript), you cannot get full security. Attackers could use a jailbroken phone and debug or de-compile your app. But you can easily secure your API in a way, that nobody can “accidently” find the entrance. Nor the average hacker can gain access.
The simple approach = SSL + Basic Auth
Make sure, that your site is only accessible via https (= SSL). Then just add a Basic Auth password, which is hard to guess. This is simple to implement (on Dispatcher and in the App), and developers/operators could still test the API. Only make sure, that the password is obfuscated in your App. So, don’t store it as plain text. A simple XOR encryption is probably enough.
The advanced approach = SSL with client-certificates
Instead of a Basic Auth password, you could use an SSL client certificate (implement that also on the Dispatcher, and NOT in AEM). This is probably a little bit over-engineered, and it can still get lost. But now the attacker must de-compile your App to extract the certificate. The Basic Auth password could theoretically be “found” in other ways – or it could be attacked with brute force.
PS: In both cases you need to monitor your API with some intrusion detection. And you must be able to distribute new passwords or client certificates to legitimate clients.
PPS: Mobile Security is a huge topic. This could not be handled in a StackOverflow question. But to stop script-kiddies from crawling your API, the simple approach is probably good enough.