php - Symfony2 RESTful API + AngularJS -

i've been working on e-commerce project built on symfony2 (for backend) , angularjs frontend. symfony part used api, has 3 different user levels (guest, customer & admin). different actions can done within system (like add/remove data) secured by:

1) symfony2 firewall user roles/access control
2) jms security (@preauthorize expressions)

for parts secure works intended , i'm happy way things work.

problem:

there parts of api public (like retrieving product information, categories, etc.). i'm retrieving such data in angular ajax calls api returns data in json format. 1 example be:

/api/product/get-all/?page=1&count=10&sorting[id]=asc

the problem @ requests in browser , copy path , have access data (such products) , download json of information. although data "public", don't want give others such easy way of "stealing" data.

ideas & possible solutions:

1) looking @ jwt (json web token) standard try , secure public calls api , implement in such way generate token "real" users on website, , such limit direct access public api links.

what think? possible solution?

2) reading in other question on stackoverflow check http_x_requested_with header request, know can spoofed attacker.

3) finally, read similar approach "solution" 1) here : http://engineering.talis.com/articles/elegant-api-auth-angular-js/ i'm not entirely sure fits purpose.

additional notes:

• i don't want make bullet-proof, don't want give people option click 2 buttons , data. know information can "stolen" (e.g.: using web scrapper), "securing" system in such way people have make bit of effort have in mind.
• i can't re-model api @ stage, ideas appreciated

thanks taking time read question , i'm looking forward feedback.

you can limit abuse of system in number of ways, including:

• limit total number of requests api return before requiring captcha or other validation method. can limited ip, browser fingerprint, authentication token, etc.

• make difficult abuser guess ids of products, categories, etc. using guids or other randomly generated ids.

• use api management proxy such azure api management more enterprise level management of apis (http://justazure.com/azure-api-management-part-one-introduction/)