0

I have an api endpoint but I want it to be access only from a certain website.

The api is from api.mydomain.com/v1/ And the website that can only access that api is mydomain.com. I already implemented CORS, but since my website can be access by public, no need for login, also it is static and the api is called by ajax, i did not added token. If the user will view-source my site they will see the api endpoint. So if they browse the endpoint, they can access the data directly. I want the url end point to be access by my domain and not by directly accessing it. How can I do it in node.js express project?

sse
  • 47
  • 1
  • 10
  • The express module [cors](https://github.com/expressjs/cors) can easily whitelist domains. – E. Sundin Mar 21 '17 at 03:20
  • You can simply use `post` request instead of `get` to get the data. In the application you can check whether the request is `post/get` and show an error on get. Since you already have CORS enabled, no other site would be able to get data from the endpoint. – Apoorv Joshi Mar 21 '17 at 03:21
  • wouldn't cors still allow a response to be sent till browser level? The response header will contain `Access-Control-Allow-Origin` to be `somedomain.com` and nothing in `Access-Control-Allow-Methods` and then the browser will stop to execute/display the response. If you are using a program which uses an http client, you can still see the full response there. – blogbydev Mar 21 '17 at 03:34
  • @Apoorv I used `post` in all api end point but I cant still access the end point. I tried to use http client to test, and I still get data – sse Mar 21 '17 at 03:56

1 Answers1

0

Looks like you need to add some kind of CSRF protection, wherein all api request made ONLY by mydomain.com webpages will contain some security token(you or the framework you are using should provide an implementation of this security token) This SO Post may help further

Community
  • 1
  • 1
blogbydev
  • 1,445
  • 2
  • 17
  • 29
  • How can I implement this in progressive web app? coz my website Im building is PWA – sse Mar 22 '17 at 07:55
  • I am not really knowledgeable on PWAs, i think you should add a tag for PWA if its available. But i can help you by telling, that any web server should provide APIs for creating tokens on authentication. Find those APIs. Further read about CSRF, and what kind of APIs you should expect from your server framework. you can follow https://www.troyhunt.com/understanding-csrf-video-tutorial/ & also the wiki page for CSRF. you can find many videos on youtube also. – blogbydev Mar 23 '17 at 11:32