Answer the question
In order to leave comments, you need to log in
How to restrict access to website api?
The question is hackneyed, but I did not find a solution.
There is front.web.ru, files are accessed and api.web.ru, how to restrict access to current api for the site front.web.ru? How to give access to api.web.ru only if the request comes from the front.web.ru domain?
I suspect that there is no way, because - all headers can be faked (or not?), And the front itself is given in the browser, so you can’t attach a key to it and the application logic does not allow you to enter authorization.
But I could be wrong, for example, the site dadata.ru protects the user's token from the left passengers by restricting the domain, but I have no idea how they do it.
EDIT!!!
It's my fault, of course, for asking the wrong question.
On the front.web.ru domain there is a site, on the pages of which content is dragged by ajax from the site to api.web.ru, that's the point. The most common combination of ajax and json.
The easiest way I came up with is to place google recaptcha 3 (which is invisible) on all pages of the project. But hell knows how he behaves in such situations.
Answer the question
In order to leave comments, you need to log in
Simple solution: JSON with API - only for authorized users, for everyone else - static content, collected entirely on the server side.
Each API function request is 2 requests to the API with receiving and executing on the client side an obfuscated JS task between them , and with a time limit between them from 1 to 3 seconds:
1st - request signature to API (or getting a public key) and getting a JS task
2nd - getting a response to a request to the API (if everything is correct and REFERER is allowed )
1. When loading the page, by requesting the API (via JS) on the API side, we generate a temporary public token (PUB-TOKEN) and a JS task based on the HTTP protocol parameters (IP, REFERER, etc ..).
2 Then, we execute the JS task and immediately exchange the PUB-TOKEN through a repeated request to the API ( using the JS code received from the API and obfuscated! ) for a public key (API-KEY).
3. API-KEY is saved in cookies.
*the page appeared in the browser*
We sign the request with the public API-KEY specifically for this client and again make two requests to the API:
1 Sending data to check the processing of the request and receiving a JS code with a temporary token (PUB-TOKEN). Execution of JS code with API-KEY, PUB-TOKEN, TIMESTAMP parameters.
2 Sending the result of executing the JS code and receiving the result of the request to the API.
0. All invalid requests and REASONS! their occurrence (for example, it is possible that, due to the connection speed, you will have to compensate for the PUB-TOKEN lifetime, increasing it to 5-10 seconds)!
1. All requests must be UNIQUE!
2. Do not allow requests to be reused.
3. The task code in JS for obtaining a public key or executing requests to the API must:
1) And "on the forehead" with the help of iptables? same IP?
2) api.web.ru = 127.0.0.1 ...
3) Using web servers (for example, apache - allow? deny?)
4) ..htaccess - I don't remember rewritemod works with ip addresses...
If the request is made from the client, then in general there is no way to prevent the client from forging the request. But you can complicate it (obfuscation, Referer, CORS and all that).
We in the api signs the request. And we check who sends requests to us.
Key, signature, data. And on the api side, we check whether the signed data converges. If yes, then let the user.
If not, redirect.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question