Level 5
You could add your domain the the allowed_origins array in config/cors.php. Something along the lines of:
'allowed_origins' => ['*example.com'],
Mar 5, 2021
4
Level 3
Laravel API security
I have a Laravel back-end API which is meant / intended for my website application to use. Its a public API in the sense that parts of the website will be accessing the API without login requirements.
So for example anyone can go to the site click"rates" and it will make the API call and return rates, in the sense its public / no auth needed since this part of the site is public.
But how can i prevent other people / sites from simply making the same request to that API endpoint and highjacking the data from my server for their use?
Basically I would like to API accept requests that only come from my website.
The secured API endpoints are protected when a user logs in and JWT's come into play.
Level 3
Adding in your suggestion blocks every request now.
cors.php // Using Laravel 7 fruitcake cors package
'paths' => ['*'],
'allowed_methods' => ['GET, POST, PUT, PATCH, DELETE, OPTIONS'],
'allowed_origins' => ['*.dev.xyz'], //local testing currently
'allowed_origins_patterns' => [],
'allowed_headers' => [
'Accept',
'Authorization',
'Content-Type',
'Cookie',
'DNT',
'Origin',
'User-Agent',
'X-Requested-With',
],
'exposed_headers' => [
'Accept',
'Authorization',
'Origin',
'Content-Type',
'X-Requested-With',
],
'max_age' => 0,
'supports_credentials' => false,
Dev tools simply says CORS error InvalidAllowOriginValue
Request URL: http://api.dev.xyz/v1/stats/count Referrer Policy: strict-origin-when-cross-origin
Level 5
Apologies, there shouldn’t have been a period between the asterisk and domain.
Level 3
Just a follow up.
Seems problem was the paths.
I set mine to
'paths' => ['v1/*'], // api.site.com/v1
'allowed_methods' => ['GET, POST, PUT, PATCH, DELETE, OPTIONS'],
'allowed_origins' => [env('APP_FRONTEND')], // beats changing this for dev / testing / production
Please or to participate in this conversation.