2

Express gateway allows to use key-auth to restrict access to certain users / apps.
However when it concerns a webapp, it means that you cannot obscure the credentials at the client (in the sense that it's public info).

Typically you would want to only allow requests from a certain domain, like I have seen it with Google Maps.
How can this be achieved with express-gateway?

html_programmer
  • 18,126
  • 18
  • 85
  • 158

2 Answers2

1

Found it here: 

policies:
  - cors:
      -
        action:
          origin: http://www.example.com
          credentials: true

Dev tools don't care about CORS but that is not a problem.
Main goal is to avoid other apps to use the api key and the gateway can be rate limited.

html_programmer
  • 18,126
  • 18
  • 85
  • 158
0

Express recommends the use of TLS for communication from the client to the server. However if this is not the use case you need here, maybe some of the other recommendations listed here may help: https://expressjs.com/en/advanced/best-practice-security.html

adlopez15
  • 3,449
  • 2
  • 14
  • 19
  • Of course, but the api key cannot be safely stored at the web client which renders it sort of useless from that perspective. Only way I see it is to only allow api key from same domain at the api gateway or do proxy hocus pocus. – html_programmer Jan 06 '20 at 10:10
  • Ah got it. Apologies I could not be of more help here. – adlopez15 Jan 06 '20 at 18:04