We use cloudflare access to make web applications on the local server available to external users.
In that case, http requests from the external api will pass through the cloudflare proxy once, but will they be blocked at that time?
I would like to use the switchbot api's webhook, but I am not receiving any notification. I would like to make this happen.
Related
I am a newbie with the react project deployment. The API server is the Laravel project and it's hosted on the Siteground.
I am sure the APIs works by Postman. And the react project runs on localhost:3000. In order to fetch some data with API, I have added the proxy: "http://api server domain" into the package.json.
It always says "Not allowed method" when I am going to fetch the data.
So I have hosted the API server on the localhost. In this case, I have added the proxy: "http://localhost:8000 into the package.json, it works perfectly.
How can I solve this issue?
It's seems like you're having a CORS (Cross-Origin Resource Sharing) problem.
According to MDN, CORS is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own.
An example of a cross-origin request: the front-end JavaScript code served from https://domain-a.com uses XMLHttpRequest to make a request for https://domain-b.com/data.json.
For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from, unless the response from other origins includes the right CORS headers.
More technical details HERE.
Solving:
You need to enable CORS on your API service.
If you don't have access to configure Apache, you can still send the header from a PHP script. It's a case of adding the following to your PHP scripts:
<?php header("Access-Control-Allow-Origin: *");
The following link shows how to: How to enable CORS on PHP
Since you're using Laravel, using a middleware may be a good way to solve your CORS situation.
CORS Middleware for Laravel should help you.
I want to check if the incoming requests come from few allowed domains (my own angular clients), so I could secure my app even if the token is sent in each request.
I've tried (from my online app) to access the ip address with $request->getClientIp(); but I always get the same ip: 172.17.0.1 when I acces from postman and the angular client.
I've also tried to get the origin and User-Agent, but it's very easy to change the header from postman, so it would not be secure.
Is there any way to know the client app domain or ip (which is secure over https) from the Laravel restful app?
Edit:
I'm serving my app over Dokku
My application allows the user to connect to my backend from which it will redirect the request to an external api of another website.
This other website allows access to a REST API through the usage of an application and private key. The keys are stored in my backend server for security purposes. The other website allows other developers/administrators to make their own instance of that website with the same REST API keys but with different content.
So the flow is as follows:
Client application connects to backend server.
(When successfully authenticated) The client sends request for information to backend server.
Backend server forwards the request to a REST API instance of an external website.
REST API instance of the external website returns requested information to backend server.
Backend server returns requested information to client.
In the process of requesting the information, the client needs to specify to which external API the backend server should connect via a URI.
With security in mind I've noticed a big issue with my system: the user could send a URI of a "REST API" in his possession that actually captures all the data between the backend server and the bad "REST API". This way the bad URI could capture the secret REST API keys for malicious purposes.
How can I be sure that the URI the client provides to the backend server is a legitimate URI for an external REST API and not just a random, bad or malicious URI?
The only solution I've came up with is a database check for the legitimacy of a URI to cope with this issue.
If we're using Firebase hosting, how would we access someone's API without server-side scripts like php?
Firebase hosting only hosts static files. So in order to call external api, you've to do it from JavaScript using fetch/axios or something like that. However, if the api endpoint hasn't enabled CORS for your domain, your browser doesn't allow to make that request for security.
I ended up figuring out how to do it using php.
I have a question regarding http requests. I have a web service with api endpoint at the sub-domain of one website but the api is actually used by two websites.
Basically we have website1.com and website2.com and the api server is located at api.website1.com so when website1 is using the api then the request is sent to it's own subdomain. But when the website2 is using the api it is sending request to api.website1.com which is fully external request.
Would it speed up the requests if I clone api server to the subdomain of website2 or there will be no difference in terms of connection speed?
All else being equal, it makes no difference.
If the sites were hosted on different computers and your change meant that an API would move to the same computer as the site that was making requests to it, then you would reduce the amount of network use which would speed things up.