CODEWITHSUNDEEP
javaapisecurityipapigee
MikaelW
MikaelW

Reputation: 1205

rest API, IP origin control for preventing the bypassing of Apigee

We have created a Rest API using Spring. There is no security implemented.

Now we are going to use Apigee for API management, it will provide various services, for monitoring, security, etc. All our clients should now call our API using Apigee rather than directly calling our service on our server.

How can we enforce that the bypassing of Apigee is impossible?

I guess, in our code, we can have a filter and use the "Access-Control-Allow-Origin" property, something like: 

public class OurFilter implements Filter
{
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
            ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, DELETE");
        chain.doFilter(req, res);
    }
}

Where the "*" would be replaced by the Apigee Ip, domain name or something.

My question is how safe is that. Can people just add a header to their http request and call our server directly successfully? Or does it check the origin IP on the low level individual "IP packets".

And if it is spoofable just by editing the http header, what is the right way to make the bypassing of Apigee impossible?

Many Thanks

Upvotes: 0

Views: 248

Answers (1)

Ivan Novakov
Ivan Novakov

Reputation: 130

The headers you consider using are for enabling CORS, which is important for the browser (client) side, but it doesn't provide any security for the server side.

If you want to secure your backend API against direct usage, you will have to establish some kind of authentication between Apigee and the backend API, so the backend API denies any requests coming from other clients.

There are different options, how to do this. It depends on the required level of security and the capabilities of the backend API.

For example:

  • Restrict by IP address - allow requests from Apigee's IP address only
  • Use a shared secret - When communicating with the backend API Apigee will add a header containing a secret key, which is recognized by the backend. This is probably the easiest solution and provides a reasonable level of security. Of course, assuming that the communication is over HTTPS only :).
  • Use two-way SSL - This is more secure, but also more complicated. Apigee side will have to authenticate to the backend API using a client certificate.

Upvotes: 0

Related Questions