I have seen some api requests on the web with a https GET response body starting with the following characters:<p>)]}'<p>Then this characters are followed by arrays of elements without keys(as a JSON). What's the point of having this structure of response requests?
It prevents the response from being evaluated as Javascript.<p>In some older web browsers (like Firefox 2.0), this was required to prevent an attack where the Array constructor is overridden to capture arrays within a response. This no longer works on any modern browser, but a lot of web services still attempt to defend against it.<p><a href="https://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/" rel="nofollow">https://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-j...</a>
It disables the JS from running in an IFrame I believe.<p>Companies like Google and Facebook use this to prevent others from embedding their pages in others.
You will need it only depending on the type of API you are building. If redirects etc are not an issue then your won’t need it. APIs are an attack vector for hackers.