Ways to protect your ExpressJS RESTful API from unauthorized access

Is it possible to enhance security for an expressjs RESTful API so that only a react native app and react website have access?

For example, the server runs on port 8000, the react native app is on port 3000, and the website on port 5000. It’s desired that the server only responds to requests from these specific ports.

Consider having a POST route like mydomain.com/signup; it should not be accessible to users via external websites or tools such as Postman.

What methods can be implemented to make sure that only the mobile app and web site are permitted to interact with the RESTful routes?

node.jsreact-nativeapirestexpress

Answer №1

Initially, there seems to be a misconception about how requests to your API function. When your react application communicates with the server on port 8000 from port 3000, it is simply an incoming request without a specific origin tied to port 3000. The inbound port number will typically be randomly generated with either 5 or 6 digits. Outbound ports are dynamically assigned by the TCP system and do not reveal the originating application.

In addition, your RESTful API server acts as a public endpoint accessible to anyone. While you can implement cross-origin protections to restrict JavaScript requests to specific domains, other non-browser requests cannot be controlled in the same manner.

Hence, any individual proficient in coding using tools aside from browsers can interact with your API. Larger entities like Google often mandate an APIKey issued to users or require login credentials (such as cookies) to verify permitted access. Nonetheless, this does not guarantee exclusive usage by your application; prevention of external access is nearly impossible.

The common practice involves enforcing login credentials or APIKeys while monitoring API activity patterns. Permissible use is determined based on the nature and frequency of requests, whereas improper usage may result in temporary or permanent blocking of the user or credential in question.

For instance, suppose I have a POST route at mydomain.com/signup. How can I prevent unauthorized usage through external sources like Postman?

Unfortunately, achieving absolute restriction is challenging. Despite implementing measures, such as introducing expiring tokens within web pages and validating their usage in API requests, skilled individuals can still extract and misuse these tokens for accessing the API programmatically.

What strategies can I employ to restrict access to my RESTful routes exclusively to my mobile app and website?

Regrettably, complete exclusivity is unattainable due to the inherent nature of web APIs being publicly available. Any entity possessing the requisite credentials can potentially utilize the API regardless of intended restrictions.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Utilizing Node.js with Mongoose callbacks

Despite reading numerous answers, I am still struggling to get this function to work. My goal is to return the length of a query find on Mongoose with a simple function structure as follows: app.use(function(req, res, next) { res.locals.user = nul ...

node.jsasynchronousexpresscallbackmongoose

Issue encountered during npm installation of node-sass-middleware

After executing the command npm install node-sass-middleware, I encountered an error... npm WARN deprecated @npmcli/<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e68b899083cb808f8a83a6d7c8d7c8d4">[email protected]</ ...

node.jsnpmsassnpm-installnode-sass

Issue occurred while running a Docker command within a Jenkinsfile

Currently, I am working on an end-to-end test project using Nightwatch.js, which runs on the NodeJS framework. My goal is to create a pipeline for executing these tests via Jenkins in a Docker container by utilizing a Jenkinsfile. The plan is to initiate a ...

node.jsshelldockerjenkinsjenkins-pipeline

Express and subdomains for dynamic content only

How can subdomains be effectively managed using nodejs and express? Each subdomain will not contain static files like index.html, but rather pure code and logic. var express = require('express'), http = require('http'); var app = ...

node.jsexpress

Accessing a png image from a request using body-parser and Express

When using Postman to send a request to my server, I encounter an issue with accessing an image in my application. Here is the code snippet that represents my setup: My application includes the following JavaScript files: app.js var express = require(&a ...

node.jsexpresspostbinarybody-parser

What is the best way to relocate all matching lines of x to the beginning of the file?

How can I rearrange all the lines of code that start with or include "@use" to the top of the file while alphabetizing and removing duplicates? .css-class { @use 'text-size' as *; // How to move all lines starting with @use to the top of the fi ...

node.jsnpmfs

Transferring information from a React form to an ExpressJS backend and then seamlessly redirecting to the PayuMoney platform for secure payment processing

Challenge Overview : I am currently working on the integration of payuMoney in a website built with ReactJS, NodeJS, and Express. The goal is to create a form where users can input their data, and then pass this information to the backend API located in in ...

node.jsreactjsrestexpresspayumoney

Insert data into Typeorm even if it already exists

Currently, I am employing a node.js backend in conjunction with nest.js and typeorm for my database operations. My goal is to retrieve a JSON containing a list of objects that I intend to store in a mySQL database. This database undergoes daily updates, bu ...

mysqlnode.jstypescriptnestjstypeorm

NodeJS Throws an Error: Unexpected Symbol

Looking to create a website based on Rullete. I have the necessary code and scripts, but when I try to run the script, I encounter an error. [SyntaxError: Unexpected token <] SyntaxError: Unexpected token < at Object.parse (native) at Reques ...

sqlnode.jsubuntunpm

Upon launching the app in the browser for the first time, a 404 error occurs when trying to load the favicon in Node

Whenever I open the browser for the first time, not just a new tab but the browser itself, my Node.js application returns a 404 error indicating that the favicon is not found. However, when I open the app in a new tab, it works perfectly fine. This issue ...

node.jsexpressfavicon

Tips for resolving the error message "CORS policy blocking XMLHttpRequest access while trying to retrieve data from an API"

I've scoured through numerous similar questions without finding a solution that works for me. In the process of creating a React application, I'm attempting to retrieve data from my university's library API, which is in XML format. To conve ...

reactjsapi

The system does not acknowledge 'grunt' as a valid internal or external command when executing a batch file

After installing grunt, jshint, bower, etc. using npm install [x] on my computer, I can see each of them as a file in C:\Users\Me\AppData\Roaming\npm. When I use the Command Prompt to run jshint, grunt, etc., they work perfectly f ...

node.jsbatch-filenpm

Unable to retrieve POST request from Node.js server when it is hosted on a specific route

Currently, I have a website that was created using wordpress and it has one route that connects to a node.js server. Let's say the domain is https://www.wordpress.com/, with the node.js route as https://www.wordpress.com/node. Here are the hosting se ...

node.jshttpserver

passport.js and express: TypeError - Router.use() must be given a middleware function, but instead received a ' + gettype(fn)

I encountered an error while using passport.js with Express.js TypeError('Router.use() requires a middleware function but got a ' + gettype(fn)) This issue arose from the following code: passport/local.js var LocalStrategy = require("passport ...

javascriptnode.jsexpresspassport.js

Transmitting information from the front-end Fetch to the back-end server

In my stack, I am using Nodejs, Express, MySQL, body-parser, and EJS. My goal is to trigger a PUT request that will update the counter by 1 when a button is pressed. The idea is to pass the ID of the clicked button to increment it by 1. app.put("/too ...

javascriptnode.jsajaxexpressfetch

I am able to input data into other fields in mongoDB, however, I am unable to input the

I am facing an issue with the password while everything else seems to be working fine. I am using a schema and getting an error, but it could be a problem in my functions because I hashed the password. I am unable to identify what's causing the issue. ...

javascriptexpressmongoose

Compilation of services operational on the device using Node.js

I am looking to create a node js program that can retrieve the list of services currently running on the machine and determine their status. Is there a specific command or API in node js that can provide this information? I attempted to use the 'sc qu ...

node.js

Executing a Node.js Express project in public mode

Usually, I have no issues running my project on Linux as public. However, I am now trying to run the project on Windows as public. I have set up rules for Windows Firewall, but when I try to open the page 192.168.0.106:3000, I receive an error stating that ...

node.jswindowsexpress

Having trouble getting Collapse condition to work when using ReactStrap with ReactJS?

Currently, I am working on creating a collapsible navbar using a basic boolean state change triggered by clicking the Toggle Button. Depending on the boolean value, the Collapse Menu will either be revealed or hidden. I have encountered an issue with this ...

reactjsreact-nativereactstrap

Leveraging Jira.js for mass assigning a version to multiple issues

Currently utilizing the jira.js node library, I have successfully managed to create versions and query issues. My next goal is to assign these versions to the respective issues, but despite my efforts including googling and consulting ChatGPT, I haven&apos ...

node.jsjira