Reputation: 3416
What clients can / can't access a RESTful web service by default?
I am currently developing an API that will be launched into production in a matter of weeks. I am relatively new to REST, started reading about CORS - and realized that it could impact me.
What conditions will a REST service not be accessible to a client? I have been using sample html/js on the same server, and through Postman - a google chrome addon - to access my API. I have had no issues so far.
When the API goes live, it will be hosted at 'api.myserver.com'. Requests, at the beginning, will come from 'app.myOTHERserver.com'. Will these requests be denied if I do not use a CORS-friendly approach like JSONP or special 'access-control' headers that permit my domain?
What about accessing rest APIs from other non-browser clients? Such as a C# application? Are these requests permitted by default?
Assuming I do need to add 'access-control' headers server-side, to permit the scenario described above when my API goes live, is it better (performance-wise) to let your web server (NGINX in my case) handle the headers, or should I add them through PHP or NodeJS?
Upvotes: 1
Views: 1404
Answers (2)
Reputation: 19305
This is more about the same-origin policy applied by web browsers than it is about RESTful APIs in general.
If your API is intended to be used by web applications deployed on a different origin host/port than the API, then you have these options:
- Respond with appropriate headers that allow for techniques like CORS to work.
- Have the web server which serves up your web content (in your example,
app.myOTHERserver.com) handle your REST API requests too by proxifying your API requests from the web server through to the API server. For example, you could have your API exposed on your web server under the URL/api, and then it's just a matter of setting up a web proxy configuration that forwards requests under that URL to your API server. - Use JSONP or other techniques.
If your API is going to be used by non-web applications, you have nothing to worry about. This is only a restriction applied by browsers when running JavaScript code to make sure that the user hasn't inadvertently clicked on a phishing link with some hackery in it that tries to send their PayPal password to Pyongyang.
Upvotes: 1
Reputation: 19294
When the API goes live, it will be hosted at 'api.myserver.com'. Requests, at the beginning, will come from 'app.myOTHERserver.com'. Will these requests be denied if I do not use a CORS-friendly approach like JSONP or special 'access-control' headers that permit my domain?
You can specify what clients can access your web service to an extend. Assuming you're using Express: How to allow CORS?
Upvotes: 0
Related Questions
- Understanding CORS
- How does CORS actually protect against security issues?
- Does a RESTful API need CORS implementation anytime?
- CORS is it safe to allow any ports?
- Rest API Security Questions
- Nodejs API : CORS seems to be enabled by default
- When is it safe to enable CORS?
- Do I need to use CORS in case of RESTfull API?
- CORS and Access-Control-Allow-Methods in Express.js?
- The concept of CORS and should I enforce an Origin header?