1

I'm developing a web app with React and an GraphQL API with Node.js / Express. I would like to make the API more secure so that its harder for API requests that don't come from the web app on the browser to get data. I know how to do it with registered users. But how to make the non-registered user still be able to access some basic data needed for the app?

Is it possible to put some kind of key in the web app - so the API call can't be replicated for others through sniffing the network dev tool in browser and replicating in Postman? Does SSL/TLS also secure requests in that browser tool? Or use like a "standard" user for non-registered visitors?

Its a serverside web app with next.js

I know theres no 100% secure api but maybe its possible to make it harder for unauthorized access.

Edit: I'm not sure if this is a problem about CSRF because Its not about accessing user data or changing data through malicious websites etc. But its about other people trying to use the website data (all GET requests to API) and can easily build there own web app on top of my api. So no one can easily query my api through simple Postman requests.

mkwcc
  • 11
  • 2
  • 1
    Use a CSRF token: https://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work – baao Jun 03 '18 at 10:43
  • 1
    Possible duplicate of [What is a CSRF token ? What is its importance and how does it work?](https://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work) – bennygenel Jun 03 '18 at 10:56

1 Answers1

0

The quick answer is no you can't.

If you trying to prevent what can be describe as legit users form accessing your api you can't really do it. they can always fake the same logic and hit your webpage first before abusing the api. if this is what your trying to prevent your best bet is to add rate limiting to the api to prevent a single user from making too many request to your api (I'm the author of ralphi and express-rate-limit is very popular).

But if you are actually trying to prevent another site form leaching of you and serving content to their users it is actually easier to solve.

Most browsers send Referrer header with the request you can check this header and see that requests are actually coming from users on your own site (this technique is called Leech Protection).

Leaching site can try and proxy request to your api but since they all going to come from the same IP they will hit your rate limiting and he can only serve a few users before being blocked.

One thing the Leecher site can do is try to cache your api so he wont have to make so many requests. if this is a possible case you are back to square one and you might need to manually block his IP once you notice such abuse. I would also check if it's legal cause he might be breaking the law.

Another option similar to Referrer is to use samesite cookies. they will only sent if the request is coming directly from your site. they are probably more reliable than the Referrer but not all browsers actually respect them.

Yoni Jah
  • 773
  • 7
  • 15
  • If another site is leeching the API, the site's backend can still spoof Referrer header and cookies. As you said, the only "real" protection is requiring an API key for every request so at least you know _who_ is leeching, and require that API keys be generated only when something like a reCAPTCHA is submitted successfully, so that generation of API keys can't be automated and you can log the IP address of users that generate API keys, which is useful unless the user is behind a VPN or some other form of proxy. – Patrick Roberts Jun 14 '18 at 16:28
  • @PatrickRoberts They can only fake the referrer if they are proxying the request and that is where your regular rate limit should kick in. CAPTCHA is a nice option but the site can proxy the CAPTCHA back to the user that is anyway surfing the site (Though it's technically harder). I think blocking per IP is much better solution in this case since most site will have a single dedicated ip and, as a user I personally don't like CAPTCHAs – Yoni Jah Jun 14 '18 at 16:34