I'm trying to figure out if there's a way to restrict access to an API endpoint such that it can only be called from a UI hosted on a specific domain. The challenge is that I want the endpoint to be accessible to non-logged-in users, but I want to prevent access from anywhere else. Is it possible to achieve this without implementing any form of authentication? I considered using CORS and tokens, but I'm worried that someone could easily spoof this with a third-party request.
3 Answers
If you’re serious about security, you might consider using a Cloudflare Turnstile-like method for validation. It allows for a passwordless token that the server can validate. This could help you achieve the level of protection you’re looking for without traditional login methods.
Using CORS can help limit who can access your endpoint from a browser, but keep in mind that any endpoint exposed to the client can be hit by other HTTP clients too. Sure, you can restrict headers or implement CORS, but those can be faked. If your concern is keeping endpoints private, you might want to rethink what you’re trying to secure.
You can use Same-Origin Policy (SOP) to protect your API from other origins. Combine that with CORS to specify allowed origins, but remember, any client the user controls can send any request. So, implementing authentication along with rate limiting is the real way to protect your endpoints.
That actually sounds like the kind of solution I'm looking for—an easy way to validate without needing a password.