I have the following architecture,
My main website
API on the same domain
The API needs authorisation from the user side to receive requests, however I am putting another level of security on it which requires a header field with an encoded value to be present in the request message. So let’s say the header is called X-AUTH .
I need to make sure using Workers I can inject this header field into the request when a call is make to the api endpoint. This only need to happen when the call is to the /api part of the site. Up to this part it’s ok but what is confusing for me is how I can make sure this is only done if the request is coming from within my domain.
So if for example someone tried to use Postman to make a request to the end point www.AAA.com/api it will fail even if the include the header.
So in short, I need to block access to any request that is coming from outside cloudflare, also I don’t want to use referrers as they are not advised for authentications and some ISPs might remove it from the headers.