1

I am making an API using django and drf. My problem is my frontend devs doesn't want to have a ssr application, so I must have a way to protect my API so if a user figures out an endpoint, they can't use it. in other words, I want to make sure that only my csr frontend can use my API.

I researched a bit and found things like API gateways and proxy backend. But it doesn't help in my problem. I thought of CORS. But each user got they're own ip address and they still can use curl. I am working on least privilege principle and already use jwt tokens.

Improve this question
4
  • 2
    The short answer is "you can't". That's simply how the Internet - and any distributed-system in-general, works: never trust the client. Commented Aug 30, 2024 at 13:56
  • "so I must have a way to protect my API so if a user figures out an endpoint, they can't use it." - What are you afraid of? Commented Aug 30, 2024 at 13:57
  • you can let your users authenticate and only accept requests from authenticated users. But you cannot limit it to an application. Commented Aug 30, 2024 at 13:57
  • 3
    I mean, we could discuss the merits of device-attestation and a secure-bootchain that includes userland applications - but I don't want people thinking that's a good idea. Commented Aug 30, 2024 at 14:01
Related questions
86
React frontend and REST API, CSRF
0
How to return refresh token as http only cookie from email verification endpoint
1
How protect from CSRF Login and Register endpoints (views) of an API created with DRF which use JWT as authentication?
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.