how to only accept requests from nextjs app.
Answered
Asiatic Lion posted this in #help-forum
Asiatic LionOP
I want to prevent other calling my apis.
currently any server action request appears on browser. and hence if some take the curl and try it many times it should work
the question how i prevent any others from calling this.
thanks
currently any server action request appears on browser. and hence if some take the curl and try it many times it should work
the question how i prevent any others from calling this.
thanks
Answered by joulev
Impossible. Default CORS protection from the browser should be enough to prevent other websites from making requests, but nothing can be done to truly prevent people from making requests indifferentiable from valid requests from your frontend.
14 Replies
@Asiatic Lion I want to prevent other calling my apis.
currently any server action request appears on browser. and hence if some take the curl and try it many times it should work
the question how i prevent any others from calling this.
thanks
you can secure you endpoint by checking any identity from the client. For example a token. That can be a Bearer token, an api token, ...
Your server know the token and like that only you and your server can call your api with a valid token
Your server know the token and like that only you and your server can call your api with a valid token
Asiatic LionOP
but incase you has a token.
it should also included the curl from the browser network request.
it should also included the curl from the browser network request.
i think we might need a way to limit with the ip.
so we make sure only some servers ips can call. others not
what's your thoughts ?
so we make sure only some servers ips can call. others not
what's your thoughts ?
ips can also be changed and yes of course this token need to be handled securely. So the user who uses this token should not be allowed to share this token. It's his identity. You are not sending the token inside the url. Normally via a cookie or inside a post body. So even if you share the url with others, they also need your token to access the url
Asiatic LionOP
if you tried to copy network request as a CURL.
you'll the see the token included
you'll the see the token included
yea, because the client who made (past) the request already knows the secret token. It like sharing a secret with your client so they can access your application. And of course this secret should not be shared
@Asiatic Lion I want to prevent other calling my apis.
currently any server action request appears on browser. and hence if some take the curl and try it many times it should work
the question how i prevent any others from calling this.
thanks
Impossible. Default CORS protection from the browser should be enough to prevent other websites from making requests, but nothing can be done to truly prevent people from making requests indifferentiable from valid requests from your frontend.
Answer
They are just http requests at the end of the day. Http requests can be constructed, cloned, nothing you can do about that.
Netherland Dwarf
You can add rate limting
But like joulev said it is impssoble
Yeah rate limiting will help prevent spams if you are worried about that. Recaptcha is also a good idea. That’s about the most protection you can have already.
Yes, and most of the rate limiting is handled via ip like you said. Or (of course) via the token
Asiatic LionOP
I see.
thanks you all. this was helpful for me
appreciated
thanks you all. this was helpful for me
appreciated
Happy to help. Please mark solution