Score:0

How to restrict access to API to the portal run on browser through Nginx

lk flag

Scenario

I have a system with an api server and a front end (static website run on browsers) and they are publicly available under 2 domain names a.example.com and a-api.example.com

Question

How do I restrict access to my api at a-api.example.com to my front end only (e.g. no one can arbitrarily curl to it and be able to access)? Or is it possible at all?

If you can add a sample nginx block that'd be awesome.

Score:1
us flag

You cannot block curl calls completely.

However, you can make them more difficult by requiring that HTTP referrer header is set to the api. You can use nginx HTTP referer module for this. An example configuration:

server {
    valid_referers a-api.example.com;

    if ($invalid_referer) {
        return 403;
    }
}

This is not adding any security to your website. It is trivial for bad actor to add the required HTTP header when making requests to a-api.example.com.

Therefore it is important that best security prcatices are used in your API implementation.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.