Limit API access

Hi, I want my API to be accessible just from my SPA and nothing else can send a request to the API. How can I do that? Should I use CORS allowed_origins?

tisuchi

6 years ago

Level 70

@mammadataei

You can try this package. https://github.com/fruitcake/laravel-cors

mammadataei

6 years ago

Level 11

I'm currently using it.

I setted 'supports_credentials' => false and the 'allowed_origins' => ['...'] to desired domain. Now the server prevents the browser requests from other origins but unfortunately responses to other clients like postman or curl. I want to prevent that.

Funfare

6 years ago

Best Answer

Level 13

That is not possible. A request from javascript is a normal http request how every client can do it. So you can't block ips neither blocking any special header because a client like postman can send all this.

protect your backend with authentication and authorisation, so only a user can do what he is allowed to. than it theoretically doesnt matter if he does it via you frontend or something else

Spiral

6 years ago

Level 3

/*installation Command*/
composer require barryvdh/laravel-cors	=>	/*v0.11.4*/

/*config/app.php*/ $providers
Barryvdh\Cors\ServiceProvider::class,

/*Publish barryvdh/laravel-cors package file*/
php artisan vendor:publish --provider="Barryvdh\Cors\ServiceProvider"

/*Use CORS Middleware*/	=>	/*app/Http/Kernel.php*/
protected $middlewareGroups = [
    'web' => [
       // ...
    ],

    'api' => [
        'throttle:60,1',
        'bindings',
        \Barryvdh\Cors\HandleCors::class,
    ],
];

protected $routeMiddleware = [        
        'cors' => \Barryvdh\Cors\HandleCors::class,        
];

Please or to participate in this conversation.