Imagine the scenario where you have a client who wants you to implement calls to an external API on a landingpage that you've setup for them. The external API works based on a contract and API keys which are obtained through that contract; hence you must not expose the API keys in fetch() calls from your frontend.
You thus now have the mandate to implement a Docker instance which acts as an intermediary server, connecting your LP's fetch() calls to the external API, such that, with every request, you have the following traffic:
client --> Docker container --> API --> Docker container --> client
To still keep security tight, I now wonder about the best approach to authenticate requests incoming from the client to the Docker container. Authorization is implemented via CSRF-tokens that are delivered to the client upon page load; post successful initial authentication.
Given that the landingpages have no login system and we cannot rely on not-HTTP / third-party cookies, I thought of only allowing requests to come in to the Docker container which originate from the domain of the deployed landingpage; but I don't know A) if this is possible (I thought of the Acces-Control-Allow-Origin config on the Docker container?), and B) if this is secure? I particularly wonder about B) because it is pretty easy to fake things like a referrer header, so I wonder if domain names from which a request originates may be faked in an easy way too?
If I also understood things correctly, the rule provided via the Access-Control-Allow-Origin header is only enforced in browsers, and for example simple HTTP clients can circumvent / disregard it; correct?
I also thougt of basic authentication, but I'd prefer some kind of authentication that does not expose anything within the client code, as I would need to provide the authentication token to js in that case.
Given that the Docker container runs on apache, I'm thinking that the tightest solution for this usecase would be to restrict the access to the IP of the deployed LP, via this, using something like this. I know this is rather access restriction vs authentication; but I figure it's the best solution for this landingpage-scenario which does not expose anything to the client?
