Calling back-end api from browser

[ajitkumargiri]

Hi Sir, In this project all back-end call are made from browser. Any body can see the back end API URL from browser. Is it right way to do in production. (Need your suggestion)

[dawidczarczynski]

Yes, I would say it's the only way. That's how SPA works.

[ajitkumargiri]

Is not it hampering the security of the web site? I have seen some companies are using node layer(server.js) to route back-end. Which way I will follow for a production ready application?

[juristr]

the backend url is directly configured in the environment.ts file of the Angular CLI project: https://github.com/gothinkster/angular-realworld-example-app/blob/master/src/environments/environment.ts You can also inspect the network calls from your browser's devtools to see where they go.

Generally speaking it really depends on your deployment architecture. I generally see two approaches:

• the one taken here, where the frontend app is deployed completely independantly deployed and calls an API backend which then will need to implement also all the CORS mechanism (because different domain). This is usually the case when you have an independent API used by multiple different apps/mobile.
• deploy it on the same domain as the backend. Then the app usually calls to the backend like /api/.... Locally you use a development proxy (see here) to point to your local or remote dev environment. When you deploy, you usually have an architecture, where there’s an Apache or NGINX webserver in front, which delivers your frontend and backend calls, like (/api...) are routed ahead to the backend API.

From a security perspective there’s not much difference. Both of them need to apply all the known security measures. It really just depends how you want to deploy your system.

[ajitkumargiri]

Thank you all for your very useful reply. Special thanks to @juristr for clear and detail explanations. I am little bit confused. May be it is same as my previous question. But i am describing how I face an issue for this implementation. In our organisation apis are deployed as separate application behind mashery. And front end application deployed in different server(docker) . I am new to front end and i have implemented like how front end calling back end api here(calling direct back end api from browser). Our Application security team told me "you should not implement like this any body can see the api url". Although all api end points are mashery protected.

We add a node layer (server.js) on top of it . I do not know node.js so i do not like this implementation.

I am planning to develop one private project myself. So need some suggestion . Is any real web site implement direct call to api from browser?

Thanks in advance