How to restrict api call based on domain name?

Not applicable

Hi All,

Is there anyway in ApiGee to allow API call access only from specific domain? For example, I want ApiGee call to be triggered to Targeted API only if the request is made from www.example.com (or) Host ip address of www.example.com. Is it possible?

Solved Solved
0 22 28.6K
2 ACCEPTED SOLUTIONS

I'd read the "Host" header value and put a RaiseFault policy if value is invalid. Host header value is automatically put into a variable called request.header.Host for you so doing this should be fine:

<Step>

  <Condition>request.header.Host != "google.com"</Condition>

  <Name>RaiseFault.RequestFromInvalidDomain</Name>

</Step>

View solution in original post

You can filter the origin domain in a JS call using CORS origin header.

The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser. This happens in preflight (OPTIONS) call before the real API call happens.

You should be able to configure Apigee to send correct Origin header back (www.example.com) so that no other domains can do a JS call from any other domain.

http://stackoverflow.com/questions/10636611/how-does-access-control-allow-origin-header-work

But your API is still open for anyone else using an api client (like curl) without using JS. So while you are preventing access from other JS clients, your API is still wide open for any other client type.

Perhaps a proper security measure (OAuth perhaps?) is better suited for this?

View solution in original post

22 REPLIES 22

Not applicable

You can use access control policy to achieve this. Here is the sample documentation to do this: http://apigee.com/docs/api-services/reference/access-control-policy

@Archendra Yadav - are you sure access control policy provide domain name validation?

@Ozan Seyman We don't support the domain name validation using access control policy.

@Venkatesh

You can check the origin of request using request headers 'referer' HTTP_referer and implement a fault rule based on request header 'referer' parameter. Does that solve your use case ?

Or, You can use Access Control Policy that restricts based on ip.

Not applicable

Can you please elaborate the usecase? basically it will help us understand the root problem you are trying to solve.

I have got an API licence from Support third party. They have given us the API Key and other stuffs. We are using jQuery to access the Rest Api(Third Party). I have included the standard Api key and other stuffs inside ApiGee using Assign Message Proxy which is working perfectly. And now, I want the ApiGee Proxy Api to accept my Rest Api call only it comes from www.example.com or 11.21.22.55 ip address...... Hope it is clear.

I suggest exploring Developer Apps and API Product support of Apigee to segregate users rather than IP/domain name based restrictions. Let me know that approach helps.

I'd read the "Host" header value and put a RaiseFault policy if value is invalid. Host header value is automatically put into a variable called request.header.Host for you so doing this should be fine:

<Step>

  <Condition>request.header.Host != "google.com"</Condition>

  <Name>RaiseFault.RequestFromInvalidDomain</Name>

</Step>

Great! Can you explain about it more. How to read 'Host' header value and put it in RaiseFault policy?

You can read the Host header value using this variable: request.header.Host. It's value will be the domain name (like google.com in above example).

Once the condition is true (see example above), then you can return a fault response back to the client using RaiseFault policy (http://apigee.com/docs/api-services/reference/raise-fault-policy)

Thank you 🙂 Is it possible to print 'request.header.Host' anywhere in order to see the exact value. Why I am asking is, We have not set up domain yet, we are currently working using server IP address. Need to check if I can get the Host IP address.

Sure - you can see it by running a trace and looking at client's request.

1. Login to enterprise.apigee.com

2. Pick your API, jump to trace view and start trace

3. Execute API call and look at the request headers by clicking on the first circle on trace (see the screenshot below - mine is oseymen-test.apigee.com)

Thanks for the screenshot, Ozan 🙂 . I implemented the way you said. But, As my proxy api is 'venkateshrajavetrivel-test.apigee.net', I'm getting Host name as the same 'venkateshrajavetrivel-test.apigee.net' when I trigger the call so, this also fials in my case 😞 Added the screenshot below

Not applicable

But, the Access Control Policy checks only the Client IP address. I want it to check the requesting Domain (or) Domain IP address. For example, the API calling script(written in php or jquery(ajax)) is in www.example.com domain, I want ApiGee if the request is coming from www.example.com and accept it and deny the request if it is coming from www.notexample.com

Sorry - couldn't attach the image to a comment...

604-screen-shot-2015-06-16-at-095943.png

Not applicable

Please Find below

606-apigee.png

I guess I misunderstood your requirements in that case. venkateshrajavetrivel-test.apigee.net is the domain name that is being requested so request.header.Host is showing that value.

What were you expecting to get in the host header?

Yeah. My requirement is, I am shooting http://venkateshrajavetrivel-test.apigee.net/xxx/yyy Rest Api in jQuery ajax call in my domain called www.example.com.

If anyone uses the same http://venkateshrajavetrivel-test.apigee.net/xxx/yyy in their site also, data will be inserted Spams as everyone can use the API.

So, I want the request to be made only if it comes from www.example.com and not from other domains. Is it possible?

Hi @Venkatesh, CORS is an opt-in model -- it works because web browsers choose to adhere to its rules. All the major web browsers will send the Origin header with the request. This Origin is the web page URL's fully-qualified domain name, including protocol. Client-side requests running in a web browser cannot set the Origin manually (the web browser blocks it), so you don't have to worry about client-side requests spoofing your origin. Since it is an opt-in model, non-browser requests can choose to set the Origin to anything, or not set it at all.

You can filter the origin domain in a JS call using CORS origin header.

The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser. This happens in preflight (OPTIONS) call before the real API call happens.

You should be able to configure Apigee to send correct Origin header back (www.example.com) so that no other domains can do a JS call from any other domain.

http://stackoverflow.com/questions/10636611/how-does-access-control-allow-origin-header-work

But your API is still open for anyone else using an api client (like curl) without using JS. So while you are preventing access from other JS clients, your API is still wide open for any other client type.

Perhaps a proper security measure (OAuth perhaps?) is better suited for this?

Thank you so much for the explanation, Ozan. I will try with it. 🙂

Would really help others reading this thread if you can accept the answer(s) you think are helpful.