I have a set of REST services that I ONLY want my web application to consume. I do not want my users to be able to use their credentials and have the services consumed by a third party application (since my data is paid for). I there a way to ensure that only my javascript can make calls to the services from a browser that cannot be spoofed (request headers and user agent detection for instance will not work.)
This is probably more of a creative problem.
I am also providing a REST API. I use a mix of an API Key which is always static an can be spoofed. Next is a signature which will be generatet on clinet side and prooved on server side on each request. The signature is build by a combination of all parameters AND a secret password. this prevent a man in the middle from executing for example the same call with another parameter.
Only bad is that a spoofed request can be sent again. I dont know already how to prevent that.