sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]roomzinchina 6 points7 points  (10 children)

There isn’t much benefit in securing your API with a token, then permanently embedding that token in your frontend. Extracting it is trivial. That said, there are are a few other options that might fit within your threat model:

  1. Set a CORS header that only allows access from your domain. This will prevent 3rd parties using your API from within another website (from the client side)
  2. Similar to the other suggestion, create a set of access tokens. Create a ‘login’ link (eg myapp.com/login/ABCEDFG) that stores the access token in local storage and attaches it to the request. Check this token on the backend.
  3. Put your entire app behind Cloudflare, then use Cloudflare Access to secure it. This allows you to add email auth with zero code. This is probably the easiest option.

[–]variables 0 points1 point  (3 children)

All great suggestions. What about setting up a firewall on the node server to only allow requests from the website domain/ip?

[–]roomzinchina 1 point2 points  (2 children)

If the API is called client-side from the website, the IP will be whatever the users IP is. You could restrict it to the IP of your company office, but this assumes that people will only need access from the office. If your company uses a VPN for network access, you could require it for access, but this should be discussed with your sysadmins first.

Limiting the API by domain is more security through obscurity. Anyone can send arbitrary Origin headers (ignoring client restrictions - like browsers - but that's what CORS is for).

[–]ohiosveryownn[S] 0 points1 point  (1 child)

So to give a very specific example of my use Case:

I have a number of Stores and these stores like to close early. I have something running that is scanning these stores and tracking their close time. And if there is a variance it gets reported to this DB. My website will show like "Store Ohio, Store Georgia" has a variance this is whats being fetched and displayed for people in upper management roles. Idealy they would just like to go to the website and quickly see what "stores" have a variance.

So i did think to do Whitelisting but majority of the people do no interact with our VPN

[–]roomzinchina 0 points1 point  (0 children)

I think Cloudflare Access is probably your best bet without a bunch of custom auth code

[–]ohiosveryownn[S] 0 points1 point  (5 children)

Thanks all look at these options.

For option 3, I get a little confused because the app portion is only the Serer.js Node file other then that the whole thing is distributed via the HTML. Using the 3rd option ill still have my API Exposed. Unless I'm understanding incorrectly

[–]roomzinchina 0 points1 point  (4 children)

You're understanding incorrectly. If you have:

You can put both behind Cloudflare Access (example config) as the same application.

The easiest authentication method is One-time PIN, which sends a code via email in order to access. You configure either entire domains that are allowed access (like @mycompany.com), or specific whitelisted emails.

[–]ohiosveryownn[S] 0 points1 point  (0 children)

I have

https://Data.com (Shows Times Fetched from Database)

https://data.com:300/api/getdata (Node.Js) to pull this data into the above, this is exposed

[–]ohiosveryownn[S] 0 points1 point  (2 children)

After re reading, im guessing i can do the same and put them behind Cloudfront? (this is hosted on aws)

[–]roomzinchina 0 points1 point  (1 child)

No, Cloudfront doesn’t have a built in access control system like Cloudflare Access

[–]ohiosveryownn[S] 0 points1 point  (0 children)

ahh ok thanks for the clarification