It's not possible to hide the URL From the end user in JavaScript. They can simply open up the Network panel in Chrome, or just turn on Fiddler to see it.

不可能在 JavaScript 中对最终用户隐藏 URL。他们可以简单地在 Chrome 中打开网络面板，或者只是打开 Fiddler 来查看它。

In your particular case, the only real way you can hide the URL from the user is to proxy the REST call to your API from your server-side code.

在您的特定情况下，您可以向用户隐藏 URL 的唯一真正方法是将 REST 调用从服务器端代码代理到您的 API。

If you must use JavaScript, you can always create and use APIKeys and simply monitor their usage and terminate API Keys that are taking up too much bandwidth; but again -- this isn't going to stop someone from being able to use your API, it'll just let you know when you receive an unexpected amount of traffic from unexpected places.

如果您必须使用 JavaScript，您可以随时创建和使用 APIKeys 并简单地监控它们的使用情况并终止占用过多带宽的 API Keys；但同样 - 这不会阻止某人使用您的 API，它只会在您从意想不到的地方收到意外的流量时通知您。

You could take it further by cycling API keys every day, so if someone wants to use your API; they have to change their code every day -- but again, this won't stop someone, just slow them down.

你可以通过每天循环 API 密钥来更进一步，所以如果有人想使用你的 API；他们必须每天更改他们的代码——但同样，这不会阻止某人，只会减慢他们的速度。

The only fullproof way is the way I mentioned in my first paragraph -- but that can't be done from client-side JavaScript alone.

唯一完全可靠的方法是我在第一段中提到的方法——但这不能仅通过客户端 JavaScript 来完成。

Update in the age of Single Page Applications

单页应用时代的更新

What I wrote holds true, even for Single Page Applications (SPA); though you can hide the URL in the address barby having different routing for your client-side application than your server-rendered pages.

我写的内容适用，即使对于单页应用程序 (SPA) 也是如此；尽管您可以通过为客户端应用程序设置与服务器呈现的页面不同的路由来隐藏地址栏中的 URL 。

The user can still inspect the traffic in their browser's console to check where the requests are going (there's no getting around that), but you can at least display different paths in the address bar.

用户仍然可以在浏览器的控制台中检查流量以检查请求的去向（无法绕过），但您至少可以在地址栏中显示不同的路径。

Not really. The page needs to have access to the URL in order to use it, and this gets you into the age-old problem of showing somebody something while hiding it from them at the same time. Modern browsers with built-in debugging tools compound the problem: even if you encrypt the URL, there comes a point where you will have to decrypt it in order to use it, and debuggers can jump in at that point.

并不真地。页面需要访问 URL 才能使用它，这会让您陷入一个古老的问题，即向某人显示某些内容，同时对他们隐藏某些内容。带有内置调试工具的现代浏览器使问题更加复杂：即使您对 URL 进行了加密，也会出现一个点，您必须对其进行解密才能使用它，并且调试器可以在该点上跳入。

Is there a particular reason that you're concerned about others using the API? There isn't really a way to prevent others from finding the URL, but there may be other ways to achieve your goal.

您是否有特别的原因担心其他人使用 API？没有真正的方法可以阻止其他人找到该 URL，但可能有其他方法可以实现您的目标。

It is not possible to hide the url from anyone with the motivation and determination to find it. It is not advisable to depend on security by obscurity and everything exposed via REST should be considered a potential vulnerability and all necessary security checks made on the server side. Treat all REST APIs just as you would a public web page.

不可能对任何有动机和决心找到它的人隐藏 url。不建议依赖于默默无闻的安全性，通过 REST 公开的所有内容都应被视为潜在漏洞，并在服务器端进行所有必要的安全检查。像对待公共网页一样对待所有 REST API。

By hiding I'm assuming you mean not having any association to the URL shown in your Javascript. Unfortunately it's not possible to hide the URL as far as I know, even if you managed to hide it in javascript, the request would be visible in any extension capable of picking up outgoing and incoming http requests on a web page.

通过隐藏，我假设您的意思是与您的 Javascript 中显示的 URL 没有任何关联。不幸的是，据我所知，无法隐藏 URL，即使您设法将其隐藏在 javascript 中，该请求也将在任何能够在网页上获取传出和传入 http 请求的扩展程序中可见。

Instead of sending request for json data send request for the whole html rendered data in the api call. in this way hiding of the json data will also get managed and the rendering time of your page will also get speed up. no need of json data calls on client side.

不是发送对 json 数据的请求，而是在 api 调用中发送对整个 html 渲染数据的请求。通过这种方式，json 数据的隐藏也将得到管理，页面的渲染时间也会加快。客户端不需要 json 数据调用。