7

I am currently building a web application.

  • My front-end is developed using React and Axios (for API call requests). It is served directly by Nginx on app.mydomain.com

  • My back-end is developed using Django and Django Rest. It is served with Nginx and Gunicorn on api.mydomain.com. It only serves API endpoints.

So the front-end and the back-end are separated.

I would like only my front-end (app.mydomain.com) to be able to make API requests to my Django Rest backend.

I would like to prevent any other domain, any clients such as postman, insomnia, curl or any script to make API requests to my backend.

I have already set CORS in Django Rest. However, I can still make requests to the backend using curl or any other client.

Do you have any idea of what I could do to achieve this?

Thanks a lot in advance for you answers.

Gargos
  • 71
  • 2
  • This might help: https://stackoverflow.com/questions/35600443/django-allowed-hosts-not-working/35616168#35616168 – Mamdouh Alsarayreh May 03 '19 at 22:03
  • @MamdouhAlsarayreh Perfect, that works! Thanks a lot. Just wondering, is this solution secure? Am I sure nobody will be able to modify the HTTP_REFERER header? Are there other things to take into account? Thanks. – Gargos May 03 '19 at 23:01
  • Ever find the answer to this? I can't wrap my head around this exact question. – themissionmars Dec 20 '21 at 15:38

1 Answers1

0

steps :

1.python -m pip install django-cors-headers

2.INSTALLED_APPS = [ ..., "corsheaders", ..., ] #add it to your installed apps:

3.#add a middleware class to listen in on responses,

MIDDLEWARE = [ ..., "corsheaders.middleware.CorsMiddleware", "django.middleware.common.CommonMiddleware", ..., ]

4.CORS_ALLOWED_ORIGINS = [ "https://api.mydomain.com", ]

That's it!

sarvesh_r
  • 340
  • 1
  • 4
  • This will not work. CORS policy is only enforced by Web Browsers, not by API clients like Postman. – Divine Nov 23 '22 at 10:54