-3

I have a Node server with a single POST endpoint. I am using it along side a React app but I do not want anyone else to be able to access it.

I set this server to handle data that I do not want or can manipulate in the client. One cannot retrieve any data from the server, but they can manipulate what they send in a particular way that I would want protected.

Is there any other way to prevent anyone from retrieving info from the POST endpoint without setting up user authentication?

I noticed that I can hit it with a cURL command if I have the correct url and the correct JSON data values.

I have set up CORS to only allow hits from my domain as follows:

app.use(
  cors({
    origin: [
      'http://myWebsite.com',
      'http://www.myWebsite.com',
      'https://myWebsite.com',
      'https://www.myWebsite.com',
    ],
  }),
);

EDIT WITH SOLUTION: For anyone that stumbles upon this, I added https://cryptojs.gitbook.io/docs/ to my frontend and my node server and added env variables on both as a secret. Without the crypto key, the service is not usable. That solved my problem.

dela1000
  • 5
  • 1
  • 2
  • 2
    If there’s something worth protecting, I think this begs the question: why are you considering publishing an API in a publicly-accessible way *without* a proper authentication/authorization model to begin with? Further - CORS is not a security mechanism for you on the server side, it’s meant to protect users from inadvertently leaking information from their browser. You should absolutely not be relying on it to provide any meaningful security for your API. It’s (less than) trivial for an attacker to bypass such configurations. – esqew Nov 29 '22 at 23:05
  • Thanks for the response. I set this server to handle data that I do not want or can manipulate in the client. One cannot retrieve any data from the server, but they can manipulate what they send in a particular way that I would want protected. – dela1000 Nov 29 '22 at 23:23
  • 1
    No, there's no way. It's trivial to analyze the communication between your website and the server and to imitate it with tools like cURL or Postman – jabaa Nov 29 '22 at 23:44
  • I added https://cryptojs.gitbook.io/docs/ to my frontend and my node server and added env variables on both as a secret. Without the crypto key, the service is not usable. That solved my problem. – dela1000 Nov 30 '22 at 18:43

1 Answers1

-4

I have an idea maybe you can allow only the IPs of the domains on your Nginx/Apache

or in your API get the ip of the client and check if is your ip server

if is send the data

if not send empty data...

Next
  • 47
  • 7
  • 2
    “*you can allow only the IPs of the domains on your Nginx/Apache*” The machines serving this content are not the ones accessing the API - this advice would land the OP no closer to meeting their requirement. “*get the ip of the client and check if is your ip server*” What is an “*ip server*”, exactly? “*if not send empty data...*” This runs counter to many established standards - if a client is not authorized to access a resource the server should return the appropriate `401 Unauthorized` or `403 Forbidden` status code, not “*empty data*”. – esqew Nov 29 '22 at 23:11
  • 1
    That won't work. The OP speaks about setting up CORS. If they only allowed access from the IPs of their own domains then they would block access from browsers visiting their own domains. – Quentin Nov 29 '22 at 23:24