I’d like to limits API access from one or more domains – in other words I have a set of exposed API endpoints but I only want to respond to specific remote servers.
I intend to issue tokens to the servers that I intend to respond to but I want to ensure that I’m really dealing with the right servers in case the tokens become public knowledge.
I thought I would be able to use Origin or Referrer from the HTTP headers but perhaps because I’m sitting behind an Nginx front end, those headers don’t always seem to be visible.
Any suggestions gratefully received.
3
Answers
You can’t find domain names by ip (nslookup/dig $IP) becausethe reverse resolution requires an entry in the reverse zone (dns) configured for that ip. Not everyone sets up a reverse zone and, more importantly, many domain have just an A record configured.
Using other informations coming from the request itself, IMHO, are not a valid solution because these information can be forged so there’s an high chance they make be "fake".
The best solutions I can suggest you are:
Limiting CORS / origin headers is one way if your API calls are coming from client side.
If its from server side call, IP is one way, but not guaranteed if there are many network hops in between and references are not passed by load balancers.
May be you can try something like this (Node.js):
replace
https://www.example.com
with your domains.