Api security
Answered
Persian posted this in #help-forum
PersianOP
How can i make that the api server is only accessible through my domain? like this in express js
app.use(cors({
origin: 'domain.com',
methods: ['GET', 'POST'],
credentials: true // Include credentials if needed
}));
app.use(cors({
origin: 'domain.com',
methods: ['GET', 'POST'],
credentials: true // Include credentials if needed
}));
Answered by Persian
Yes but they can access that key and use it outside client, you know what forget about it
28 Replies
@Persian How can i make that the api server is only accessible through my domain? like this in express js
app.use(cors({
origin: 'domain.com',
methods: ['GET', 'POST'],
credentials: true // Include credentials if needed
}));
you can check the
origin header. If it matches your domain.com you can let it through, else not.@B33fb0n3 @Kawakawa checking origin headers will only keep out basic access. It’s trivial to spoof your origin header.
The only way to prevent your api from being accessed is with network level rules like only allowing certain ips that you control
CORS is not security.
Network level stuff typically isnt the first solution though
Use api keys
And only let requests through that have a valid key
@Persian as linesofcode said the origin header blocks just the basic access.
To prevent it effectivly you need to add network level rules. That can be rules to allow only certain ips.
Another option would be, to use only valid keys like api keys.
To prevent it effectivly you need to add network level rules. That can be rules to allow only certain ips.
Another option would be, to use only valid keys like api keys.
Saint Hubert Jura Hound
Its also good practice to regularly rotate api keys
@linesofcode The only way to prevent your api from being accessed is with network level rules like only allowing certain ips that you control
PersianOP
I want that the client side can access it only, so if i added the ip address that will be sended from the client side it will send the user ip address and not the ip i want to add to the whitelist right?
The only option i have is origin i guess
API key for the client is the best thing you can do.
CORS is not security.
@linesofcode CORS is not security.
PersianOP
Yes because they can change this
@B33fb0n3 Then use an api key
PersianOP
But then users can get the api key and use them right?
Of course they can change their api key, but the backend only know one key. And only with this one api key, you can access it
@Persian But then users can get the api key and use them right?
The only provide their api key. The client can't read the serverside key
PersianOP
I know but, my idea is that i want that users can't access my api server outside the client side, it's impossible i guess
... outside the client side ...can you clarify?
@B33fb0n3 > ... outside the client side ...
can you clarify?
PersianOP
like we have the server side and the client side, i wanna make that the client side is the one and only allowed to use the api
It's impossible i guess
Is there is any way to get the real ip address of the request using next js api?
@Persian Is there is any way to get the real ip address of the request using next js api?
PersianOP
Just asking in general ik that won't help me with the request
@Persian like we have the server side and the client side, i wanna make that the client side is the one and only allowed to use the api
it isn't. Created a variable serverside. Then give only the client, who are allowed to access this secret key. After that, only the clients who are allowed, can access your api. If you give this key no one, then no one can access your api
PersianOP
Yes but they can access that key and use it outside client, you know what forget about it
Answer
Yes but they can access that ...Serverside variables are not accessable from client.