Security Best Practices for an API with DRF

Hi All,

I’m nearing completion of an API that I’m building that is used in conjunction with a VueJS Single Page App (SPA). In order to retrieve and modify information from and on the API, a user must be authenticated, and requests from the SPA must contain a valid JWT authorisation token.

One of the wonderful things about Django Rest Framework is the fabulous GUI they’ve built, but this got me thinking about security of my API and SPA.

I figure in order to prevent users from accessing the GUI, I can configure Django to only use a JSON renderer with this in my


But what I’m trying to workout and I must admit, failing to find an answer, is how can I prevent a well informed user from using a browser’s debug mode, finding the token from the login response and writing their own code to interact with the API in any manner they chose fit?

Ultimately my question can be boiled down to: can one limit API access to only the SPA for which the API was designed?



It can’t be done. As an SPA you’re shipping a client to the user that they can always reverse engineer.

Hi Adam,

That’s what I feared. Thanks for the input!