Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello, I have a Laravel web application that make ajax requests to my own api routes.
The web has no user system, and i'd want to limit the api routes so no one could make requests with external tools, the acceptable requests should only come from the same web application. How could I do that?
Thanks!
Laravel 7 has built in CORS support now. You can configure CORS to only allow API requests from a particular ip address and or other things like that. You can set it up to only respond to certain requests from a particular domain etc.
take a look at the config/cors.php file in your project to see the different options.
Thanks! I didn't know about this new configuration :D
This would prevent another websites from making ajax request to my web, but cors only works for browsers as far as I know. Is there something I could do to prevent requests from external tools?
I was thinking of authenticate all the visitors with a "guest" user, and put in the api routes the auth:api middleware. This way I could authenticate the user with the xsrf token... But I fear that it's a bit overcomplicated and there's a simpler way :)
Please or to participate in this conversation.