0

I want to update records in a database through an api.php. I do this by sending GET requests to the API on the server from another particular server.

I tried limiting CORS to only that specific server, but GET requests were still accepted from the browser. I also tried to set a condition to match the server's IP with the one specified in the API and abort if it's false. However, I fear that this is an imprudent move as I am not that experienced in these types of situations.

Can I safely limit the api to allow GET requests only from this specific server address?

System architecture

  • Webserver: Nginx
  • App language: php(5.3), javascript, html, css
  • Database: Mysql
mountaincloud
  • 1
  • 3
  • 3
    Aside: `GET` should not be used for updating a resource – CD001 Mar 15 '18 at 15:46
  • You can. There are many scenarios of what you can do. Now, the issue is obviously - knowledge level. In my opinion, the best way to deal with these kinds of limits is on the web server (my personal choice is `nginx`), not in app language. You can opt in for IP restriction, you can choose to authenticate people based on username / password, bearer token, api key, public key and what not. I guess you can tell that your question is really broad. How about you start by expanding the question with web server software? – N.B. Mar 15 '18 at 15:48
  • Using IP addresses for authorization or authentication purposes is always questionable. I suggest you take a look at client side certificates instead. – arkascha Mar 15 '18 at 15:48

1 Answers1

0

An solution would be to use JSON Web Tokens.

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

You can find the PHP framework to generate/check the tokens at https://github.com/web-token/jwt-framework

Mihai Matei
  • 24,166
  • 5
  • 32
  • 50