Home > Enterprise >  How may I restrict my API to only be accessed by the Frontend only
How may I restrict my API to only be accessed by the Frontend only

Time:08-09

I'm building a game, and someone has exploited the API

How may I choose a list of "allowed domains" that can fetch through my API? My previous API was used by someone to increase their in-game money.

CodePudding user response:

Learn about CORS Policy and implement it on your API Backend. Most probably, if you are using any of the popular frameworks to build your backend, you will already have this setting. You may just need to enable it and add your frontend IP/URL to it.

CodePudding user response:

The comment and answer referring to the usage of CORS aren't solving the problem of someone exploiting your API. Everyone can write a program to simply set the Origin header themselves.
Increase your security by securing the API with any sort of credentials, e.g. api tokens. And then build your logic in a way that it isn't possible to perform those tampering actions.

Validate on server-side that the request is valid (why would anyone be able to simply increase the money by hitting an endpoint, they should do e.g. a quest and your server validates that it was successfully done and rewards the money).

  • Related