How to create private api that can only be accessed by the front-end?

Question

I've been looking over the web for a little while but couldn't grasp the concept of making private API only between front-end and back-end. what I essentially want to do is to have an API that's only accessible through the front-end, not through curl, postman or anything else.

I have the following setup:

1. App is hosted on Heroku, backend is in nodejs

2. I use https connection that I self-generated via let's encrypt tool.

3. I have a public API atm that returns a string 'Hello world'

4. Currently, you can access it either via front-end or by going to www.example.com/api/test but what I would like to do is not allow the user to manually visit the link or use curl or postman to get that but instead only make it accessible through the front-end.

5. The front-end is written in Angular 2 (if it matters at all)

Note, that I am not planning to have any user sign in on the website, I simply want to restrict access to the API to outside world so that only my front-end can get it.

UPDATE USE CASE

The use case in the future is simple. I have a basic sign up form which asks for email address and a text description. I then use nodemailer on the backend to send that information to the gmail using POST request from Angular 2. I access the data sent through req.on('data') and req.on('end') and process it. My fear is how do I make sure I am not gonna get spammed through that API and receive 10k emails hence my wish to somehow make the API only accessible through the front-end.

Answer 1

While you cannot prevent a REST service from being called by the whole internet, you can still prevent spamming : Your service requiring authentication or not, it's always the same mechanism, using a captcha ( the most important part ) and rate-limiting your API.

1. CAPTCHA :

The best way to ensure that the client making the request to a server is driven by a human-being is a captcha.

CAPTCHA :

A CAPTCHA (a backronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used in computing to determine whether or not the user is human.

You can find plenty of services, or libraries that will create captchas, like Google's reCAPTCHA .

2. rate limiting :

• For a public service , you can rate-limit access by IP : if the same IP makes 10, 100, or even 1000 requests (depending on the purpose of that service), that's a bit suspicious, so you can refuse to serve him, by sending an error status, and logging that unfair behavior to the application logs. So the sysadmin can ban the IP at the firewall level with a tool like fail2ban.

• For an authenticated service , well that's the same except you might also want to rate-limit the API based on the IP and on its identity, and might not want to ban an authenticated user...

Note that you don't really have to handle the rate-limit yourself, for a public API, meaning that preventing the same IP to make 1000 POST request to the same url in 10 seconds is something that can and should be done by a sysadmin.