I have an angular and php apps hosted in the same shared hosting and are accessible from the same domain example.com.
The php app expose a rest api, and I want this api to be accessible only from the angular app.
Both apps don’t have user authentication.
2
Answers
As @Edcel Cabrera Vista mentioned, I tried to restrict the calls in the application layer by adding rules to .htaccess file, Checking in the PHP file if the incoming client IP matches my website ip or localhost, adding basic authorization. None of them work, because the angular app in the end is just a client JS code that runs in the user's browser, so the user has total control about it and the client IP will always be the user's IP.
I realized in the end that I could do the HTML rendering in the server side, and return the ready HTML page to the client. For the moment that suits my needs.
The best way to do it is to place your backend in private subnet which is accessible to the frontend angular via internal network route.
But base on your case you are hosting both in the same server instance which are public. Which the above recommendation is not applicate. Since you cannot restrict it in the network layer you can look into application layer and you can utilize web server config extension such as .htaccess, you can create a rule that only allows frontend request. It’s an application layer restriction.