Level 80
@mahmoud-faisal If you don’t want third parties to be able to use your API then you need to add authentication. There’s no magic way to make an API accessible from one source and not another.
1 like
Oct 25, 2023
4
Level 1
Laravel API Protection
I'm trying to make an api using laravel 10 and sanctum
I have for example routes
1-get: articles
2-get: articles/{article}
3-post: articles
4-put: articles/{article}
route 3 and 4 you have to be logged in to be able to access this api so we can use middleware auth:sanctum and all good but the other two routes (1, 2) can be consumed from the front-end without requesting the user to be logged-in so how can I protect these routes so that only my front-end with known domain and my mobile application can access and not any other third party app
Level 1
@martinbean why should the user be logged in to be able to view an article? like facebook for example you can view someone posts without signing in but you have to login in order to comment.
isn't there anyway like white listing the domains that can access this type of api?
Level 80
isn't there anyway like white listing the domains that can access this type of api?
@Mahmoud-Faisal No. If it’s a public API endpoint, then it’s public. Anything sent in a request (such as Referer/Origin headers) can be easily spoofed by the client.
You can add CORS, but that won’t protect people accessing your API using non-JavaScript approach, such as cURL, Postman, or building a proxy service to scrape your API if it provides access to high-value content worth scraping.
1 like
Level 1
@martinbean So in a case like this the API end point should be public and can't be restricted to my apps only. Looks like there may not be any other way. Thank you so much.
Please or to participate in this conversation.