How to make sure that only a specific domain can query from your REST api?

I have an app that has a REST api. I want it so that the only requests that can be made to the REST api are ones originating from the app itself. How can I do that?
I am using a node.js+express server too.

EDIT: the app is fully a public web app.

Simply define the header in your request, what this does is, it allows requests only from a certain domain, and instantly rejects any other domain.

response.set('Access-Control-Allow-Origin', 'domain.tld');

EDIT: IF you’re really keen against web scraping stuff, you could make a function to double check client’s origin.

function checkOrigin (origin) {
   if (origin === "your.domain.tld") {
     return true;
   } else {
     return false;
/* Handling it in response */
if (checkOrigin(response.headers.origin)) {
  // Let client get the thing from API
} else {
  response.write("Send them error that they're not allowed to use the API");

Above example should work for the default HTTP/HTTPS module, and should also work for Express, if I’m not mistaken.

EDIT 2: To back my claim up that it should also work for Express, I found this quotation at their documentation;

The req (request) and res (response) are the exact same objects that Node provides, so you can invoke req.pipe(), req.on(‘data’, callback), and anything else you would do without Express involved.

I would recommend using an API key from the client. CORS filters are too easy to circumvent.

A simple approach for securing a How to implement a secure REST API with node.js

Read More:   How to validate a form with multiple checkboxes to have atleast one checked

Overview from above post:

Because users can CREATE resources (aka POST/PUT actions) you need to secure your api. You can use oauth or you can build your own solution but keep in mind that all the solutions can be broken if the password it’s really easy to discover. The basic idea is to authenticate users using the username, password and a token, aka the apitoken. This apitoken can be generated using node-uuid and the password can be hashed using pbkdf2

Then, you need to save the session somewhere. If you save it in memory in a plain object, if you kill the server and reboot it again the session will be destroyed. Also, this is not scalable. If you use haproxy to load balance between machines or if you simply use workers, this session state will be stored in a single process so if the same user is redirected to another process/machine it will need to authenticate again. Therefore you need to store the session in a common place. This is typically done using redis.

When the user is authenticated (username+password+apitoken) generate another token for the session, aka accesstoken. Again, with node-uuid. Send to the user the accesstoken and the userid. The userid (key) and the accesstoken (value) are stored in redis with and expire time, e.g. 1h.

Now, every time the user does any operation using the rest api it will need to send the userid and the accesstoken.

The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 .

Similar Posts