skip to Main Content

I’d like to limits API access from one or more domains – in other words I have a set of exposed API endpoints but I only want to respond to specific remote servers.

I intend to issue tokens to the servers that I intend to respond to but I want to ensure that I’m really dealing with the right servers in case the tokens become public knowledge.

I thought I would be able to use Origin or Referrer from the HTTP headers but perhaps because I’m sitting behind an Nginx front end, those headers don’t always seem to be visible.

Any suggestions gratefully received.

3

Answers


  1. You can’t find domain names by ip (nslookup/dig $IP) becausethe reverse resolution requires an entry in the reverse zone (dns) configured for that ip. Not everyone sets up a reverse zone and, more importantly, many domain have just an A record configured.

    Using other informations coming from the request itself, IMHO, are not a valid solution because these information can be forged so there’s an high chance they make be "fake".

    The best solutions I can suggest you are:

    • Filter by ip: if you know who’s going to call your api, they know what’s the ip they’re using to call your webserver. Configure apache so allow access to such ips.
    • Configure a client side authentication on your api so only those with a valid and authorized certificate (which doesn’t need to be signed by a valid CA: you can create and use your custom CA) will be able to connect.
    Login or Signup to reply.
  2. Limiting CORS / origin headers is one way if your API calls are coming from client side.
    If its from server side call, IP is one way, but not guaranteed if there are many network hops in between and references are not passed by load balancers.

    Login or Signup to reply.
  3. May be you can try something like this (Node.js):

    const whitelist = ['https://www.example.com','https://www.example.com'];
     const corsOptions = {
      origin: (origin, callback) => {
        if(whitelist.indexOf(origin) !== -1){
            callback(null, true)
        }else{
            callback(new Error('Not allowed by CORS'))
        }
       },
      optionsSuccessStatus: 200
     }
    

    replace https://www.example.com with your domains.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search