Level 75
Is this going to be a mobile app? Otherwise you give basic instruction on usage.
If mobile the user installs the app, like a weather app.
Aug 15, 2023
9
Level 13
Restrict Laravel api access to only front-end app
Hi, let's say I'm building a Laravel-React app and both are in different repository. So lets say I deployed Laravel API in server.app.com and my front-end in app.com.
Now I want my Laravel API server.app.com to be only accessed by app.com I dont want it to be accessed from anywhere else that's why I can either check for host or use CORS and put app.com in allowed origin.
But here I'm concerned that a malicious user will make a request from badapp.com and change the host header to app.com to pretend to be app.com in that case how can I protect againts it?
Level 13
@jlrdw Thank you for your response! No it wont be a mobile app its just a react front-end web app and can you please explain what you mean by "basic instruction on usage" ?
Level 51
Browsers prevent that malicious behavior. That's why there's a CORS protection in browsers.
Keep in mind, that's only in browsers, if the request is coming from any HTTP request tools, it will pass. And you don't need to care about that scenario.
Level 13
Thank you for your response! So there is no way to guard that? But what if I'm trying to build a multi tenant app API? then I need to make sure that the correct domain registered in my site accesses that API then how can I account for that?
what if a attacker makes "Host Header Injection" and changes the host header to a valid domain to make my app think that the request is coming from a legitimate domain.
Imagine users registering and adding domains to your website. However, a potential issue arises if a malicious user (the "attacker") points multiple domains to your site and manipulates the request headers. This could deceive your site into treating fake domains as valid ones.
Note: I'm using "Tenancy for Laravel" and I believe it handles multi tenancy just by using the $request->getHost() method.
Thank you so much for your time :)
Level 51
@iftekhs With browsers, that will not be possible.
For other HTTP tool whether it's used for testing or hacking, you shouldn't care about that and only care about setting up secure authentication and authorization system to only allow logged in and authorized users to access their resources.
1 like
Level 13
@MohamedTammam Thank you again I understand. I have another concern that is lets say I have a multitenant site in app.com it is my multitenant app. and I have 3 tenants ['valid.com', 'website.com', 'good.com'] now what if the user of valid.com knows another tenant for example website.com he knows the hostname. Now if the user changes the host header to website.com then that user will be able to access data from different tenant. So how should I actually check for the correct domain instead of just checking the host name?
Level 51
@iftekhs Even if the user know the other name. If the user is logged in and doesn't have access to other tenants, you shouldn't allow the access. You need to set up this authorization layer in your back-end.
1 like
Level 13
@MohamedTammam I understand so basically the pages that are public there is no way to block them from viewing from other domains. But protect its secret data is the real concern and to make sure only authenticated people can access those data correct?
Level 51
@iftekhs Yes
1 like
Please or to participate in this conversation.