in express using nodejs is it possible to prevent all curl requests that do not come from your hosted domain?

Question

i have a registration end-point.

If someone discovered it, they could send garbage registrations into my database using cUrl.

Is it possible to prevent all cUrl requests that do not originate from www.mydomain.com so i dont need to worry about malicious account being created?

Note I'm using nginx on ubuntu and under /etc/nginx/sites-available/default i set

location / { #save origin ip address proxy_set_header X-Forwarded-For $remote_addr; #... }

and in my end-point I have

app.get('/api/register',function(req,res) { var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress; console.log(ip);

but the console always logs my host ip address, whether i send the request from my hosted website (using html and a form) or if i send a cURL request from my pc at home.

I also tried tinkering with

app.enable('trust proxy')

from Express.js: how to get remote client address

why downvote and give no response? this is a topic of wide interest. i have done a lot before posting. — user1709076, Oct 27 '16 at 01:35
Is the registration end-point called by client code (e.g. a JS application running on the client browser) or being called by a back-end server? — llmora, Oct 27 '16 at 22:33
registration end-point is called by a web-browser doing a form post — user1709076, Oct 28 '16 at 19:59

score 1 · Answer 1 · answered Oct 28 '16 at 21:30

The registration API can be trivially discovered by looking at the source of your web client application or at the network traffic, so it should not be considered a secret.

The X-Forwarded-For header will provide the name / IP of any proxies that the query traversed on the way from the browser to your API, it will not provide an indication of where the form was loaded from (during your tests you get the IP of your server because that is where you have your nginx reverse proxy setup). The header that shows where your client code loaded from would be the Referrer header, something which is easily spoofed and not much of a security control. You could use a session to check that the API comes from a user that has previously loaded your code, but again this is easily reproducible outside your app.

So, to answer your question: no, there is no way to ensure that HTTP requests to your API only come from your client code. In a way it is the beauty of the API, so that clients can be implemented by anyone.

One approach to avoid the abuse of an unauthenticated API call such as the "registration" you are trying to protect would be to implement a CAPTCHA challenge whose solution is a parameter to your API call, with a complex enough CAPTCHA algorithm you ensure that the requests cannot be automated to create a large number of users, which is the threat you are trying to protect against.

in express using nodejs is it possible to prevent all curl requests that do not come from your hosted domain?

1 Answers1