I am trying to code a website where the user inputs information and it is passed to the backend (node.js/express.js) by the JavaScript. I don't want just anyone to be able to POST the JSON to the server, just the website's code. I am not sure how to do this as I can't use authorisation keys because that would be available as the code is client-side.
The server is using express.js run on node.js and the frontend is just JavaScript triggered from an HTML file.
Any help appreciated!
CodePudding user response:
Short answer: you can't.
Long answer:
Once your API is public on the Internet, everything can connect to it as long as it has network capabilities. Telnet, HTTP, Go program, Node.js scripts, Python scripts, etcetera.
You can limit your API access by using CORS policy, authorization header, user-agent header, referrer header, rate limiter and the like, but it's only a deterrent and everything can be spoofed by a malicious user.
In my opinion, you shouldn't worry about that, really. If you really really want security, and do not want others to access your API, consider implementing a user authentication system with JWT or sessions with secure cookies. It's the best way to protect your endpoints.
Check out these OWASP articles below to learn more about API security.
If you want to learn more about secure cookies and user authentication in Express, you can check the following articles:
I also have one more good article, it's in Go, but you can adapt the concepts in Express.js as well. Here's the link.