Protecting a route used by a single domain

2

I have a Laravel application hosted in a subdomain and need to allow its API (which has a single POST route) to be used only by the application hosted in the main domain.

What is the simplest way to protect this route? I thought about using JWT, but since the route usage is automated, I had token problems expired. I also thought about creating a middleware to check the user-agent, but it can be modified.

    
asked by anonymous 31.10.2017 / 11:12

1 answer

1

CSRF Protection:

If you are worried about someone reading the content, there are two "different" situations:

Get your /json.json on the client side via Javascript/Ajax .

Get your /json.json on the "server" / "client" side via cURL/Wget/Webviewer (and "custom browsers").

The first situation is easier and indeed "there is something to be done" to prevent:

Add the Access-Control-Allow-Origin header, strict for your website.

(Optional) Add the Access-Control-Allow-Headers , limit the headers (eg X-CRSF-TOKEN ) that can be sent.

(Optional) Add the Access-Control-Allow-Methods , limit the accepted methods (eg GET ) so only this method will be accepted.

You will soon be able to use:

header('Access-Control-Allow-Origin: http://www.dominio.com http://m.dominio.com');
header('Access-Control-Allow-Methods: GET');

I recommend seeing this answer.

Add a CSRF Token . The CSRF Token must be valid for a single session only. (Recommended) The CSRF Token must be valid for a single IP. (Optional) The CSRF Token must expire after a single use. (Optional) CSRF Token should be unique for each URL or for each follow up.

You can read this answer

Not very effective but can help:

Checking% with% is easily faked. The second situation is impossible to correct, literally, there is no way to prevent this, all listed above is not enough to prevent the use of Referrer/Origin .

Create a cURL/Wget , a limit on how many times the page can be accessed per second per IP (or Rate-Limit range) is relatively efficient as it will require the use of several IPv6 if you want to get content consistently , but remember proxies no CGNAT . Block access via TOR and public proxies.

Much less efficient but can help:

Create a "challenge" in Javascript, such as IPv4 , CloudFlare uses this.

Other answers that may complement:

Api Rest server side only

Authentication via OAuth for REST APIs

    
31.10.2017 / 11:32