How to hide the REST url in the web application ?

SunilPalkar · ‎02-06-2014

Hello All,

I have created basic web application for public using ArcGIS JSAPI 3.5/3.6 & ESRI 10.1 suit

When user views the application then with the help of view source he can view the all REST URLs and we are getting unnecessary hits on those URLs

So is there any way to hide the REST URLs?

Any help will be great !!!

MattLane · ‎02-07-2014

...hide the REST URLs? ...unnecessary hits on those URLs

You really are talking about two different, although related, issues. Others have done a pretty good job of explaining already.
1. Hiding the URLS, or hiding the ArcGIS Server
2. Avoiding the unintended use of services
For #1, you can use a proxy on the server that changes the service from .../arcgis/rest/xxxx/mapserver to keep people from knowing the data source URL, but if the client (browser) is requesting the data they will still see how to hit your service, so not much is accomplished.

For #2, you can secure the service with a long term token tied to the website so that people can't use it in their web applications or ArcMap desktop. However, they can still get to the data either from your site and the javascript console, or faking request headers. We think we might have people that just click identify on every feature in the map to farm the secured data 🙂

To really avoid people seeing the URLs or getting data from the service wholesale (if that is your intent), you would need to make a server-side application that requests the data server-side and then only sends them what you want them to see. They won't see where the data came from or be able to request it themselves separately. Of course a busy site will put a lot of load on the webserver.

View solution in original post

JeffPace · ‎02-06-2014

unfortunately if the app is public and the rest is public, you can't

However, you could pull both your app and server internal only. Then set up a proxy that only makes your app public. That way your application server is the only server that has access to the internal rest server

It is a complicated setup and will add some additional requirements when it comes to crossdomain access, etc, but it can be made to work

MattNicol · ‎02-06-2014

If you're using a proxy, you could set up your URLs client-side to contain placeholders, like "http://PLACEHOLDER/arcgis/rest/services/SomeService/MapServer." Then on the server side, evaluate the requested URL and replace PLACEHOLDER with whatever the URL value really should be.

JeffPace · ‎02-06-2014

if you sniff the tile urls, for example, wouldnt they still have the full server address?

JeffMitzelfelt · ‎02-07-2014

The best way I know to check to see what services are being touched is not so much to look at source, but to check the Developer Tools in Chrome. (Hit F12 after entering the web site)

The network tab will show you all the network connections and files you have made/downloaded. You will probably see quite a number of downloads in the form SomeResource.com/ArcGIS/rest/services/..../MapServer. You can obfuscate your code but the application will still have to somehow communicate to the network stack what resources are needed, and those calls can be displayed in any number of ways.

As soon as you say "public" you will find that there are all kinds of ways for someone to access the information in a way that you hadn't considered.

I have to agree with jeff.pace, you will need to do something with a proxy.

MattLane · ‎02-07-2014

...hide the REST URLs? ...unnecessary hits on those URLs

You really are talking about two different, although related, issues. Others have done a pretty good job of explaining already.
1. Hiding the URLS, or hiding the ArcGIS Server
2. Avoiding the unintended use of services
For #1, you can use a proxy on the server that changes the service from .../arcgis/rest/xxxx/mapserver to keep people from knowing the data source URL, but if the client (browser) is requesting the data they will still see how to hit your service, so not much is accomplished.

For #2, you can secure the service with a long term token tied to the website so that people can't use it in their web applications or ArcMap desktop. However, they can still get to the data either from your site and the javascript console, or faking request headers. We think we might have people that just click identify on every feature in the map to farm the secured data 🙂

To really avoid people seeing the URLs or getting data from the service wholesale (if that is your intent), you would need to make a server-side application that requests the data server-side and then only sends them what you want them to see. They won't see where the data came from or be able to request it themselves separately. Of course a busy site will put a lot of load on the webserver.

SunilPalkar · ‎02-09-2014

@All & Matt,

Thanks for your reply. Your suggestions are really helpful for me..

Thank a lot !!

AndreasGomm · ‎02-10-2014

I guess a proxy page would be the way to go.

https://developers.arcgis.com/javascript/jshelp/ags_proxy.html