I recently saw this SO post about getting the domain of a request. I'm wondering if this information would be reliable (ie. can an attacker "fake" this info?). Specifically, the domain and request type (GET, POST, etc). The reason I ask is because I'm not sure if I can use this to secure my application's backend. I figured that I should only allow POST requests from my own domain.
Asked
Active
Viewed 45 times
1 Answers
2
Requests sent by clients (like browsers) don't come from a specific domain. They come from a client's IP address. That client may be running a web page from a particular site, but any information included in the request to that effect cannot be trusted and can be spoofed to be anything the client wants. Think about this again. Client requests don't come FROM a domain. They come from the client who may or may not have received a web page from a particular domain before making the API request.
So, NO you cannot use client-supplied page domain information to implement any sort of reasonable security. If the request does include information about what web page the code for the request came from, then that information can easily be spoofed by a rogue client.
APIs that are used from a browser can be required to be used in combination with a logged in user (via login cookie or some sort of security token obtained after login), but cannot be "secured" beyond that. For a browser to be able to reach your API, any other client including rogue clients can reach the API too.
The types of protection that people like Google put on their APIs that are used from within browsers are:
- API tokens that allow them to track usage by a particular token and/or revoke tokens that misuse the service
- Rating limiting to prevent a particular API user or IP address from misusing the API service
- Licensing about permitted uses and then server-side tracking of what appears to be or not be permitted usage
- Monitoring of a logged in user's usage to revoke logins that misuse the service API
- Short-lived API tokens that are dynamically generated in web pages and regularly changing.
So, you can require an API account or a user login before allowing access to your service. Beyond that, one would just typically protect the API from misuse while also realizing that a determined custom client can still access the API.
I figured that I should only allow POST requests from my own domain.
You should only allow POST requests from a valid, logged in user (require login credentials with each API request) and you should only allow them to affect data that that specific user has the rights to modify. You can't control where the requests come from or what type of client is doing them.
jfriend00
- 683,504
- 96
- 985
- 979