How to securely link front and back applications via api?

M

myspace2017-03-11 17:45:44

JavaScript

myspace, 2017-03-11 17:45:44

How to protect the backend from accessing api from another domain? If on the backend to process such requests

https://backend.site.ru/handler?method=get.all.news&page=2

and return json, then from any domain it will be possible to contact the server and get information. The token is also a useless option, since requests come from the client. If you do an ip check on the server running nodejs, how hard is it to change the ip?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

Sergey Sokolov, 2017-03-11
@myspace

On the server, generate a token tied to a time and a secret known only to your server. For example time=12345&hash=abcdef.
You can also include in the hash the IP address from which the next client entered, and his User-agent.
Then the clients launched from your server will have the correct token in the code, fresh, not older than, say, 15 minutes. And they will apply it to each request to the API.
The villains will have to somehow recognize each new token every 15 minutes.

G

GrimJack, 2017-03-11
@GrimJack

Maybe
htaccess.net.ru/doc/htaccess/order.php

V

Viktor_P, 2017-07-02
@Viktor_P

I'm not 100% sure, but I would start digging in this direction:
1. Translate https://backend.site.ru/ to https://site.ru/backend and disable CORS
2. Or specify strictly Access-Control -Allow Origin