javascript - How to prevent direct access to my JSON service?

Question

I have a JSON web service to return home markers to be displayed on my Google Map.

Essentially, http://example.com calls the web service to find out the location of all map markers to display like so:

http://example.com/json/?zipcode=12345

And it returns a JSON string such as:

{"address": "321 Main St, Mountain View, CA, USA", ...}

So on my index.html page, I take that JSON string and place the map markers.

However, what I don't want to have happen is people calling out to my JSON web service directly.

I only want http://example.com/index.html to be able to call my http://example.com/json/ web service ... and not some random dude calling the /json/ directly.

Quesiton: how do I prevent direct calling/access to my http://example.com/json/ web service?

---

UPDATE:

To give more clarity, http://example.com/index.html call http://example.com/json/?zipcode=12345 ... and the JSON service
- returns semi-sensitive data,
- returns a JSON array,
- responds to GET requests,
- the browser making the request has JavaScript enabled

Again, what I don't want to have happen is people simply look at my index.html source code and then call the JSON service directly.

Answer 1

There are a few good ways to authenticate clients.

• By IP address. In Apache, use the Allow / Deny directives.
• By HTTP auth: basic or digest. This is nice and standardized, and uses usernames/passwords to authenticate.
• By cookie. You'll have to come up with the cookie.
• By a custom HTTP header that you invent.

Edit:

I didn't catch at first that your web service is being called by client-side code. It is literally NOT POSSIBLE to prevent people from calling your web service directly, if you let client-side Javascript do it. Someone could just read the source code.