Obfuscating your javascript code could be one important step. Obfuscation can make the code so complex that no sane person would try to hack it.

I have been using jscrambler.com with good results. That said, obfuscation will not solve every problem. Users will still be able to view all the traffic exchanged between the browser and the server. So they will know how the API works and how to use it.

To avoid this you can use encryption of messages using javascript. This could be helpful in securing the content. I found a post on stackoverflow that discuss encryption using javascript: Javascript AES encryption. There are a few implementations that can be used that have a low performance impact.

Last but not least, all inputs should be thoroughly checked on the server side. All logic that can be implemented on the server side should remain there.

Obfuscating your javascript code could be one important step. Obfuscation can make the code so complex that no sane person would try to hack it.

I have been using jscrambler.com with good results. That said, obfuscation will not solve every problem. Users will still be able to view all the traffic exchanged between the browser and the server. So they will know how the API works and how to use it.

To avoid this you can use encryption of messages using javascript. This could be helpful in securing the content. I found a post on stackoverflow that discuss encryption using javascript: Javascript AES encryption. There are a few implementations that can be used that have a low performance impact.

Last but not least, all inputs should be thoroughly checked on the server side. All logic that can be implemented on the server side should remain there.