0

Is it possible to block connections to a web service (server) from outside its domain?

For example consider a web app that fetches data from Twitter's API using Twitter's "application only auth". The web app's client uses AJAX to call it's own server, which in turn calls Twitter's API with Twitter's token.

While the token is never exposed to the client side code is there anything to stop an outside server side app from calling the web app's server using the URLs used by the client and for example exhausting the Twitter tokens rate limits?

user847294301
  • 3
  • 3

2 Answers2

0

You should secure your web service with user and password security or certificate security. The basic idea is that the web service client must authenticate in order to call your web service.

Here are some technics (there are others or variations):

1) HTTP basic authentication and HTTPS

2) Mutual SSL authentication - Also called two-way authentication, is a process in which both entities authenticate with each other. The server presents a certificate to the client and the client present a certificate to the server.

3) With SOAP web services you can use WS-Security standard.

4) OAuth framework

5) With Rest services you can use options 1), 2), 4). Or implement one by your own. This are good recomendations.

As you can see, there are a lot of ways to secure a web service.

theBittor
  • 786
  • 1
  • 11
  • 20
  • Note that all of these are useful if you are authenticating the user of your service (since you can give each person a credential that they store part of in their head). They are not useful for authenticating an application. – Rob Napier Jun 27 '15 at 22:31
  • Good points, but as @RobNapier said, I meant the "application auth" situation, where the users don't authenticate. – user847294301 Jun 28 '15 at 06:38
0

Is it possible to block connections to a web service (server) from outside its domain?

Certainly. Set your web server's access control lists to drop connections from outside of your IP range. Alternately, install a firewall. That's very straightforward, but I suspect you mean something else by "outside its domain?"

From your description, you seem to be really asking whether you verify that you're only talking to your own client application. As a general rule, no. You can authenticate users. That's easy. If the user isn't logged in and authorized to use your service, you don't forward requests to Twitter. But you can't authenticate applications.

If you're going to accept any user who shows up, you can't stop them from using whatever client they want. There is no way to ensure that it is your unmodified client if you've allowed it to be run on their machine. They can always modify it, and they can always send you arbitrary traffic from other programs and you can't tell the difference. On the network, bytes are bytes.

It's not all hopeless; there are things you can do. See https://stackoverflow.com/a/9183066/97337 for another version of this question, and links to several other versions of the question. (They're not exactly duplicates in how they're asked, but they all wind up being basically the same answer.)

Community
  • 1
  • 1
Rob Napier
  • 286,113
  • 34
  • 456
  • 610