I have an API server and a website server and I want to limit the accesss to the API server. Only visitors of my website should access the API server. Visitors are guests (so no login).
Besides tokens, Oath2.0 etc. (which we will also use) I would like to limit the access on the “IP of the domain origin” level.
What options does cloudflare offer?
Thanks!
If you know that the API requests are only going to come from the server itself and not users visiting the server, then you can create a firewall rule that blocks all requests apart from the server’s IP address.
You can also use the referrer header if it will be sent. Here’s an example rule:
(http.referer eq "https://yourwebsite.com" or http.referer contains "yourwebsite.com")
No - as written, visitors of my website (so guests with no login, who enter the website) will make requests (so their browsers will do the requests of course). And I don’t know the IP addresses of these guests
Then your best bet is using the referrer header check.
but can’t referrer header be “simulated” during an attack?
Yes it can. There isn’t a way to block people from accessing a resource without login from attack as methods can be spoofed such as adding headers or cookies to the request. Using bot protection modes on the api endpoint could help as well as CORS.
what is the best practice in this for both - front end and destination api server?
I mean, there are so many platforms with api requests for non logged in users, and all these have no “real” secured way for their own requests?
For frontend, you are going to want to use CORS so that browsers won’t make unauthorized requests to your server. Destination API server should only accept requests from Cloudflare IPs.
Likely, the platforms are able to handle lots of requests easily. You will be playing a cat and mouse game with protecting a public endpoint There isn’t a gold standard of “This will work”, there is just best effort.
Some solutions are
- Checking HTTP headers
Can be spoofed - Using bot management to protect the endpoint from bots.
There tools that people use to try and beat bot management - Using CORS
Bots and scripts won’t care about CORS headers
You can also do stuff like blocking requests from AWS, GCP and other cloud provider as those could be more likely to be scripts rather than users.
Do you mean the CF_… header (so the client IP) ? Or how do I find out whether it’s the cloudflare IP?
Cloudflare offers various options to limit access to your API server based on the IP of the domain origin. These include using Cloudflare Access, creating firewall rules, and configuring Access Policies. Additionally, you can use tokens or OAuth 2.0 to further restrict access.
thanks @legendsapk226. is there any article that would address these options and how to implement them for my case? thanks