0

I am trying to have my API be accessible from a specific subdomain. Currently my Settings.py file is structured as:

ALLOWED_HOSTS = [
'localhost',
'http://localhost:7999'
]

...
...
...

CORS_ORIGIN_ALLOW_ALL = False

CORS_ORIGIN_WHITELIST = [
    'http://localhost:8001'
]

CORS_ALLOW_METHODS = [
    'DELETE',
    'GET',
    'OPTIONS',
    'PATCH',
    'POST',
    'PUT'
]

Let's say I wanted the api to be accessible from only localhost:7999, but specifying localhost in the ALLOWED_HOSTS variable makes all the subdomains able to access the API. Is there a way around this without having to use CORs.

aDev
  • 43
  • 9
  • 1
    What exactly do you mean by "from"? A website hosted at `localhost:7999` is allowed to access the API, but a website hosted at `example.com` may not? That is fundamentally impossible. Within a browser you can control that by CORS, but nothing's stopping anyone from calling your API from anywhere, like the command line. That's not what the `ALLOWED_HOSTS` setting does. – deceze Oct 14 '20 at 08:11
  • hi, it's maybe possible to check the previous url that the call is coming by using `request.META.get('HTTP_REFERER')` and do sth which is needed. you may need to set an if statement somewhere, or maybe create a middleware or ... , anything you prefer – mh-firouzjah Oct 14 '20 at 08:17
  • @Mahdi Generally yes, but that is anything but reliable. Within a browser, CORS is more powerful. Outside the browser, that check doesn't protect anything. – deceze Oct 14 '20 at 08:19
  • Sorry, I meant I wanted the API to serve localhost:7999 and any other requests shouldn't be acknowledged. – aDev Oct 14 '20 at 08:20
  • Still ambiguous. Are you saying your server can be reached via multiple domains/ports, and it should only answer requests on one specific port? Or, again, only answer requests made from a website hosted on a specific port/domain? – deceze Oct 14 '20 at 08:21
  • It should only answer requests made from a website hosted on a specific port/domain. – aDev Oct 14 '20 at 08:23
  • @deceze so, you mean `request.META.get('HTTP_REFERER')` is not working for api calls? or only will work for browser requests? – mh-firouzjah Oct 14 '20 at 08:24
  • @Mahdi I'm saying that's an arbitrary HTTP header which can be spoofed. Hence it is no *protection* in any way. – deceze Oct 14 '20 at 08:26
  • @deceze is this one a solution? `CORS_ALLOWED_ORIGINS` A list of origins that are authorized to make cross-site HTTP requests form this link https://pypi.org/project/django-cors-headers/ – mh-firouzjah Oct 14 '20 at 08:31
  • @Mahdi Yes, CORS is enforced in the browser and will prevent Javascript on websites to make requests to servers which don't explicitly allow them to. But again, that only works because the browser enforces CORS on Javascript running within it. No such restriction exists if I crawl your API using `curl` or Postman or whatever. – deceze Oct 14 '20 at 08:36
  • I want the backend setup to, prevent users from crawling the Django backend's API endpoints. – aDev Oct 14 '20 at 08:44
  • Yeah, that's fundamentally impossible. Read the duplicates… – deceze Oct 14 '20 at 08:48
  • Yeah, I just realized that. Thank you. – aDev Oct 14 '20 at 08:58

0 Answers0