Home > Blockchain >  Protect AWS API Gateway To Only My Extension Calling It
Protect AWS API Gateway To Only My Extension Calling It

Time:12-05

Is it a possibility to setup something like the API Gateway CORS Access-Control-Allow-Origin to only allow a Firefox extension that I am writing to call it? Setting Access-Control-Allow-Origin to '*' is what I did for testing, but does not seem like a good policy for when it is released.

I wondered if there was anyway to make it so the AWS API Gateway only gives a good response when the request is made by my extension, and not another. Or is this just an impossibility to restrict the API to only my extension?

I am using XMLHttpRequest to make the call to the API Gateway

CodePudding user response:

Just a note; CORS is for browsers to restrict cross-origin HTTP requests. CORS won't stop someone invoking the API from outside a browser e.g. using cURL, Postman, or some other non-browser based app.

CodePudding user response:

Yes, it is possible to restrict access to your API Gateway to only certain clients, such as your Firefox extension. One way to do this is to use a custom domain name for your API Gateway and then set up a whitelist of allowed origins in the Access-Control-Allow-Origin header in your API Gateway. This will only allow requests from the specified origins to be processed by your API Gateway, and all other requests will be rejected.

To set up a custom domain name for your API Gateway, you can follow the instructions in the AWS documentation. Once you have a custom domain name set up, you can configure your API Gateway to use it by setting the domainName property in your API Gateway configuration.

To set up a whitelist of allowed origins in your API Gateway, you can use the Access-Control-Allow-Origin header in your API Gateway configuration. This header specifies a list of origins that are allowed to access your API Gateway. To allow requests from your Firefox extension, you would need to add the origin of your extension to this list.

For example, if your Firefox extension is hosted at https://my-firefox-extension.com, you would need to add this origin to the Access-Control-Allow-Origin header in your API Gateway configuration like this:

Access-Control-Allow-Origin: https://my-firefox-extension.com

This will allow requests from your Firefox extension to be processed by your API Gateway, while rejecting all other requests.

Keep in mind that you will need to update your API Gateway configuration and redeploy your API in order for these changes to take effect. You can learn more about configuring the Access-Control-Allow-Origin header in the AWS documentation.

  • Related