Web Frontend and API Backend

Getting Started
#1

Hi,

I have a front end hosted on a shared server and an api backend hosted on a VPS. I’m looking at securing and mitigating attacks such as DDOS on front and back ends.

If I was to use Cloudflare for front-end, then my NS will be changed and users using address mysite.com will be directed to Cloudflare. Behind the scenes Cloadflare will communicate with my front-end host as and when needed. So my question is can a user bypass Cloudflare and target my hosted site directly - perhaps by knowing IP address?

Regarding the back-end, the API’s are designed to be accessed by only my front-ends. Authentication is built in but they are publicly available. Should a user discover these API’s they could attack them directly. Is there any way Cloudflare products can be used to prevent users attacking the back-end API’s ?

Thanks

#2

Yes, they can. On shared servers, you most likely can’t stop this. If you have some type of firewall control, you can block any hits that don’t come through these:

If the front end is querying the back end API through host names, you may need to configure the back end to limit access to the origin IP address. Or…configure the front end to connect to the back end by the IP address of your VPN, then add one more exception at your VPN to allow the shared server’s IP address as well.

1 Like
#3

Thanks for sharing IP Ranges, makes sense. I will try out once I find a suitable static host provider that allows IP filtering, any suggestions would be useful.

The front-end does query API back-end. At the moment the front-end and back-end are hosted on different servers. The front-end accesses the back-end API’s through IP address or can be domain name (api.mysite.com) - I thought it would not be possible to restrict the incoming IP range to the back-end because when a genuine users browser loads the front-end webpage (static1.mysite.com), this users IP address is used to make these back-end requests and these IP addresses could be anything and would not be know in advance, so I cannot block these. Have I misunderstood?