Reputation: 77
Disable direct requests to REST API
I'm making a REST backend for private use of our frontend, they will both be in the same server. The problem is that I'm worried about security issues, I don't want a attacker to use the API directly, either by JS or by using other REST client.
Lets take this service as an example
http://myserver:8080/something/webresources/film
That's a service that allows to GET, PUT, POST, DELETE I want that only the frontend be able to use it, otherwise since anyone can see client-code it would be easy to get the endpoint and start putting or getting data. I do have BASIC AUTH so they would have to register and if they did something wrong I would be able to see who did it, but that doesn't solve the problem.
I could implement access control so that a user only could get/update/delete their own movies, but I would have to do that for every REST service(I have over 100 by now), plus I might need to actually get others movies
This is my first public project, I am really lost.
Upvotes: 2
Views: 1880
Answers (2)
Reputation: 497
You can do it through your web server. I'm using Nginx. I have an if statement that checks the $http_referer. If it returns nothing, or the value returned is not my application/frontend page (meaning someone is trying to hit the api directly), it'll return a 403 forbidden page.
If your application doesn't send out emails to your users don't worry about the following: I added a block to allow access to my static images as the only exception, as my application sends out emails with images and I don't want them to break.
That's it. Problem solved. No one has access to my api except my frontend page/application, unless they can forge the $http_referer to match my domain which if they can do that then they deserve to break in.
Upvotes: 1
Reputation: 26137
Your only option to call the REST API from server side. You cannot hide from the users what's going on in their browser... You can have a layered application, so the frontend layer can call the backend layer on the server while the client can see only the frontend. (Check the layered system constraint.)
Upvotes: 0
Related Questions
- How to allow all and any requests with Spring Security?
- Prevent direct call to my spring boot rest API
- Spring Security, disable formLogin() for REST requests
- Disabling HTTP GET/POST in Spring
- Spring Security disable security for requests made FROM a certain url
- Allow get-request but not post-request (Spring Security)
- Prevent Http access to api
- Call A Rest API that is secured with spring security
- Spring security filter blocking restful api calls
- Access REST API protected with Spring Security