I want to use Ember.js for my site, and don't need to open up the api at this point. But I do want to make sure that no one else can grab the data from the endpoints.

I would like to do this in a restful way, but I don't know if it's possible to do and still keep the data secure. As I understand it, there's no way to full protect access even with tokens, etc. But I'm probably missing something.

But could I simply make all my endpoints accessible only by the POST method, and include the csrf token (Form::token()) for the post requests and then on the server side use the CSRF filter for it to make sure it's not someone outside of my site grabbing the data? Would that secure it?

Or is there another, better way?