How to avoid the API tracing from proxy server and Proxy tools such as fiddler

Question

I am using Fiddler tool and iam getting API request and responce with parameter even thought its HTTPS web application . How to avoid this, I dont want show my API request and header by using any tool of proxies. Can you some one guide me

Answer 1

What you want is not possible.

Your API is called from the client. Anything on the client is controlled by the owner of such client, ie. your enduser. He may choose to run the client side of your application as your server sends it (the normal way most people do :) ), or he may decide to investigate, understand or modify any client-side code. This obviously includes getting to know your API as well.

To put it another way, the client (ie. the application in the client browser) needs to know how to talk to the API. But the client browser with the application is fully controlled by the client user, so he will also have this knowledge.

The good thing is, you have no reason to hide your API structure . If security is implemented properly, your API endpoints and calls can be public and your application will still be secure.

As a sidenote, HTTPS doesn't help here. Think of HTTPS as a tunnel, nobody can look through the walls, but anybody can look into the tunnel at both ends. One end is your server, but the other is the client. So Fiddler installed on the client can look into HTTPS traffic from/to that client (it is actually a little bit more complex, but let's go with this for now). However, Fiddler or anything else cannot look into HTTPS traffic between endpoints the Fiddler user doesn't control (again, this is somewhat simplified). So in short, HTTPS is secure if configured correctly, but it only secures the channel, and endpoints are out of scope for HTTPS.