In general, when you put something online, it is not secure anymore. Virtually anything can be hacked. What can you do in this case? Well, if you are not a billionaire who can afford huge investments in human resources and security software and hardware, all that you can do is try to make the attackers' life a bit rough and always monitor your stuff.
There are hundreds of books about security and securing an API. We will try to implement a few basic security methods that can help you avoid a disaster.
So what are these methods? Here is a list:
Always use SSL
Add an API key for extra protection
Limit the number of requests per second from the same IP
Limit access to resources, such as
DELETE
,PUT
,POST
, for authenticated users
There is no need to elaborate on SSL. Using a secure connection is how you need to go about it. SSL certificates are quite cheap these days. For example, the guys from http://www.namecheap.com sell the multi-domain SSL certificate for 80 EUR per year...