This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

rest API, IP origin control for preventing the bypassing of Apigee

Posted on 01-24-2016 01:23 PM
Not applicable
Reply posted on --/--/---- --:-- AM

We have created a Rest API using Spring. There is no security implemented.

Now we are going to use Apigee for API management, it will provide various services, for monitoring, security, etc. All our clients should now call our API using the new Apigee addresses rather than directly calling our service on our server.

How can we enforce that the bypassing of Apigee is impossible?

I guess, in our code, we can have a filter and use the "Access-Control-Allow-Origin" property, something like: 

public class OurFilter implements Filter
{
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
            ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, DELETE");
        chain.doFilter(req, res);
    }
}

Where the "*" would be replaced by the Apigee Ip, domain name or something.

My question is how safe is that. Can people just add a header to their HTTP request and call our server directly successfully anyway? Or does it check the origin IP on the low level individual "IP packets".

And if it is spoofable just by editing the HTTP header, what is the right way to make the bypassing of Apigee impossible?

Many Thanks

0 2 627
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

Dear @MikaelW ,

Welcome to Apigee Community 🙂

Please look at our documentation "Last-Mile Security" that explains "How to prevent so-called "end-run" attacks, where an app developer discovers the URL for a backend service and bypasses any API proxies to directly hit the backend URL."

Please keep us posted if you have any further queries.

Posted on --/--/---- --:-- AM
sarthak
New Member
Reply posted on --/--/---- --:-- AM

Hi @MikaelW Typically this is done at a Firewall or a Load Balancer which sits in front of your application server. Do you have such a setup?

If not I would strongly recommend doing a 2 way SSL and not just rely on IP address based validation.

0 Likes