I am about to create a REST API that would serve its resources to a mobile apps, these includes iOS & Android smartphones.
Now I am concern of limiting my API to serve only request coming from apps, that means if the request is done via browser then I should deny it. The reason for this is I am concern regarding the XSS attack and such.
Am I wrong in what I am thinking now? If no, then how should I tell that the requestor is coming from an App?