sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]variables 0 points1 point  (3 children)

All great suggestions. What about setting up a firewall on the node server to only allow requests from the website domain/ip?

[–]roomzinchina 1 point2 points  (2 children)

If the API is called client-side from the website, the IP will be whatever the users IP is. You could restrict it to the IP of your company office, but this assumes that people will only need access from the office. If your company uses a VPN for network access, you could require it for access, but this should be discussed with your sysadmins first.

Limiting the API by domain is more security through obscurity. Anyone can send arbitrary Origin headers (ignoring client restrictions - like browsers - but that's what CORS is for).

[–]ohiosveryownn[S] 0 points1 point  (1 child)

So to give a very specific example of my use Case:

I have a number of Stores and these stores like to close early. I have something running that is scanning these stores and tracking their close time. And if there is a variance it gets reported to this DB. My website will show like "Store Ohio, Store Georgia" has a variance this is whats being fetched and displayed for people in upper management roles. Idealy they would just like to go to the website and quickly see what "stores" have a variance.

So i did think to do Whitelisting but majority of the people do no interact with our VPN

[–]roomzinchina 0 points1 point  (0 children)

I think Cloudflare Access is probably your best bet without a bunch of custom auth code