发表新帖
发表新帖

How to prevent non-browser clients from sending requests to my server

后端 未结
关注
2 1408
日久生厌
日久生厌 2021-01-03 10:58

I\'ve recently deployed my website and my back-end on the same vps, using nginx, but now when I do a request with PostMan to http://IP:port/route - I get the response from t

2条回答
  • 执笔经年
    执笔经年 (楼主)
    2021-01-03 11:21

    I think there's a bit of confusion here regarding CORS.

    Cross Origin Resource Sharing is not used for desktop client to server / or server to server calls. From the link:

    Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin. A web application makes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, and port) than its own origin.

    So it's a web application to another server thing and it's actual functionality is implemented by browsers.

    1. Is this normal? Yes it is. This means that people who are using Postman can make requests to your server and it's your responsibility to ensure that you're protected against stuff like that. What browsers would do is they would take a look at what domains you allow your server to be called from and if it is a different domain trying to access the resource they will block it. Setting the list of domains that can access to your resources is your / your server's responsibility, but enforcing that policy is the browser's responsibility. Postman is not a browser, so it doesn't necessarily implement this feature (and it doesn't have to).

    2. If you are showing/leaking the tokens in the headers (in a different device than what you have authenticated with or before signing in) - that's a serious security problem. If it's happening on the device that you've signed-in and only after you signing in, then it's expected. This is assuming that you don't leak the information in any other way and designed / implemented it correctly.

    3. There are prevention mechanisms to what you're worried about. And you might be on a service like that without even noticing it, your hosting / cloud deployment provider might have either an implementation or an agreement with another company / tool so you might be already protected. Best to check!

    These

    • Cloudflare DDOS Protection
    • Amazon Shield

    are the first paid services to appear on a quick search, I'm sure there are more. There are also simple implementations which will offer some protection:

    • Ruby Rack
    • npm ddos
    • Another node solution with Redis

    0 讨论(0)
 看不清?
提交回复
热议问题