Scenario: Say I have a RESTful http(s) API running somewhere exposed on a public IP+port, and now I want to make a simple front-end that interacts with this API.
Constraint: I want to use GitHub Pages to serve the front-end, and I would like to make the repository public.
Question: Is there a way to design the API such that only calls originating from the gh-pages website will be successful? That is, if someone were to fork the repository and run their own version of the front-end, could the API notice that the call does not originate from the "official" gh-pages site? I'm really wondering if there is something I can provide in the API call that would prove that the caller is calling from a certain, predetermined place.
If the front-end can be privately hosted I could have a shared secret stored on both servers and use that to authenticate, but I would ideally want to be able to host this via GitHub pages (removing the need to maintain a server my self). Can I somehow use the fact the gh-pages site would have a proper certificate from Github? Or would this certificate be available for all gh-pages sites similarly, and hence not useful to determine origin?
I hope the question is clear, any input would be very much appreciated!
Is there a way to design the API such that only calls originating from the gh-pages website will be successful?
No.
The only information you have is what the client chooses to tell you.
A client might send a referer header. A custom client definitely can lie about that.