0

I recently got to setup a React-App and a seperate Node.js/express Application on a Server. I want the React App to be able to fetch Data from the Node Application, but i dont want anyone from the outside being able to access those api calls, not from requests, neither from direct links, Postman etc.

At first i thought about using the express-ipfilter to only allow requests from the server, but i guess that wont work, since the requests will be usually come from the users ip!?

What would be the best way to enable my react application to do static api calls for its content, without exposing the api to the outside?

I am kind of lost on this, and any Help or Advice would be highly appreciated!

1 Answers1

0

You can't make your app public to everyone and hide your API. The only thing you can do is allow cors only for your domain, but anyone can still copy the curl and paste it in postman. You need an authentication to restrict the access (JWT, oauth2, cookies etc...)

Matias
  • 1,070
  • 2
  • 6
  • 14
  • Ok, i thought so... thanks. I guess i look into JWT soon. –  Apr 11 '21 at 00:11
  • 1
    @DanielusDrachenberg keep searching.. The answer's not wrong, but I think there's additional things that may useful for you: [CSRF Mitigation for Express.js with Same-Site Cookie flag](https://medium.com/node-security/cross-site-request-forgery-mitigation-for-express-js-apps-made-easy-using-the-same-site-cookie-flag-e19ee7d5b513), [Secure React app with CSRF](https://stackoverflow.com/a/59549909/7574023), [About Node app securing](https://stackoverflow.com/a/47299364/7574023), [CORS protection duplicate question](https://stackoverflow.com/a/52681047/7574023) – boolfalse Apr 11 '21 at 00:34
  • As you're using React.js for Web, then there could be used cookies, so you can use them for your needs anyway. But for REST API's there's only way to protect your endpoints is JWT, Firebase, OAuth2, as mentioned above (just for complete comment). – boolfalse Apr 11 '21 at 00:37