How to prevent non-browser clients from sending requests to my server

后端 未结 2 1410
日久生厌
日久生厌 2021-01-03 10:58

I\'ve recently deployed my website and my back-end on the same vps, using nginx, but now when I do a request with PostMan to http://IP:port/route - I get the response from t

相关标签:
2条回答
  • 2021-01-03 11:12

    Nodejs - Express CORS:

    npm i --save cors and then require or import according to your use case.

    To enable server-to-server and REST tools like Postman to access our API -

    var whitelist = ['http://example.com']
    var corsOptions = {
      origin: function (origin, callback) {
        if (whitelist.indexOf(origin) !== -1 || !origin) {
          callback(null, true)
        } else {
          callback(new Error('Not allowed by CORS'))
        }
      }
    }
    
    app.use(cors(corsOptions));
    

    To disable server-to-server and REST tools like Postman to access our API - Remove !origin from your if statement.

    var whitelist = ['http://example.com']
    var corsOptions = {
      origin: function (origin, callback) {
        if (whitelist.indexOf(origin) !== -1) {
          callback(null, true)
        } else {
          callback(new Error('Not allowed by CORS'))
        }
      }
    }
    
    app.use(cors(corsOptions));
    

    It's really easy to implement and there are many options available with express cors module. Check full documentation here https://expressjs.com/en/resources/middleware/cors.html

    0 讨论(0)
  • 2021-01-03 11:21

    I think there's a bit of confusion here regarding CORS.

    Cross Origin Resource Sharing is not used for desktop client to server / or server to server calls. From the link:

    Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin. A web application makes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, and port) than its own origin.

    So it's a web application to another server thing and it's actual functionality is implemented by browsers.

    1. Is this normal? Yes it is. This means that people who are using Postman can make requests to your server and it's your responsibility to ensure that you're protected against stuff like that. What browsers would do is they would take a look at what domains you allow your server to be called from and if it is a different domain trying to access the resource they will block it. Setting the list of domains that can access to your resources is your / your server's responsibility, but enforcing that policy is the browser's responsibility. Postman is not a browser, so it doesn't necessarily implement this feature (and it doesn't have to).

    2. If you are showing/leaking the tokens in the headers (in a different device than what you have authenticated with or before signing in) - that's a serious security problem. If it's happening on the device that you've signed-in and only after you signing in, then it's expected. This is assuming that you don't leak the information in any other way and designed / implemented it correctly.

    3. There are prevention mechanisms to what you're worried about. And you might be on a service like that without even noticing it, your hosting / cloud deployment provider might have either an implementation or an agreement with another company / tool so you might be already protected. Best to check!

    These

    • Cloudflare DDOS Protection
    • Amazon Shield

    are the first paid services to appear on a quick search, I'm sure there are more. There are also simple implementations which will offer some protection:

    • Ruby Rack
    • npm ddos
    • Another node solution with Redis
    0 讨论(0)
提交回复
热议问题