I'm setting about implementing a very basic API which takes a POST request from a web form and crunches some calculations server side before responding with the output of the calculation in the API response which is then rendered by the client.
The form appears on a statically generated website, with heavy traffic and therefore there is no server side rendering to hide credentials behind. I'd love an open discussion and any reference to good resources which would help to increase my knowledge on what level of API security should be in place when dealing with static websites requesting against server APIs. I've come from a typical MVC world where the server would take the request, render the template and ultimately provide the whole page back to the user.
When this end point is simply serving as a back end calculator, what level of authentication should my front end and server be concerned with? I'm thinking along the lines of pinning against my domain for a start but what else?
Would the usage of API token have any relevance in this scenario? Since the information is purely public I don't have a use case that would require a look up of a user or similar, but do API tokens/keys have a usage here that I haven't thought about?
What measures of protection should live on the client side? Right now I believe that whilst I know my implementation is a web form, I should really ignore the TYPE of client since anyone can spoof a browser to make a request. Is this valid and therefore I should focus on the security at the API gateway instead of the client?
What measure of server side protection should be in place? CORS? Rate limiting / Throttling?