I have a node frontend express server and a node api express server.
How can I best ensure that only requests that are made to the api are made from the frontend express server?
There is no user authentication so the user will not be sending a jwt with each request.
The easiest way would be to set the Content Security Policy using Helmet.js And you can easily add other security features using Helmet.
const helmet = require('helmet')
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
// styleSrc probably not needed but you can set those too
styleSrc: ["'self'", 'maxcdn.bootstrapcdn.com']
}
}))
This effectively tells the browser “only load things that are from my own domain”
in my opinions, you should
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.