How to make REST API deployed to heroku accessible only through rapidAPI

Question

Salutations!

I have just completed my first REST API, deployed on heroku, and I decided it would be cool to make $0 a month through rapidAPI.

The rapidAPI testing dashboard passes the tests successfully - with one of their keys being a requirement for an API call.

However when I access the site on a browser or on Postman, there is no need for an API key and therefore no restrictions in get requests.

I have noticed that the test code makes a fetch request to the rapidAPI url for the project but how can I make the heroku url accessible only from rapidAPI?

I know it's extremely unlikely someone will find my heroku app url but it is technically possible.

I appreciate your time and insights.

score 2 · Accepted Answer · answered Jan 17 '22 at 13:21

RapidAPI provides 2 security features to support this:

set X-RapidAPI-Proxy-Secretin the API Dashboard: this token is added in the X-RapidAPI-Proxy-Secret HTTP header for each request. You should validate this for every API call. This is the default measure in place.
the list of IP addresses used by RapidAPI is provided: you can check/validate for every API call.

There might be Heroku Addon to help with the IP filtering, but those are typically enterprise-plugin (with associated cost).

Harry Coder · Answer 2 · 2023-01-05T06:12:12.987

0

RapidAPI allows you to add secret headers and/or query string parameters to API requests. The RapidAPI proxy adds these secrets to every request, but are hidden from the API consumers.

Find more details in this page: https://docs.rapidapi.com/docs/secret-headers-parameters

edited Jan 05 '23 at 06:12

answered Jan 05 '23 at 06:06

Harry Coder

2,429
2
28
32

How to make REST API deployed to heroku accessible only through rapidAPI

2 Answers2