stackoom
  简体   繁体   中英

AWS API Gateway restricted access from S3 static web page only

 原文  2020-02-02 14:04:09       node.js/ amazon-web-services/ amazon-s3/ aws-api-gateway

Question

I have a Node.js express server deployed to AWS EBS, the client side, written in React is deployed to S3 bucket as a static web page.

I'm working on some sort of sign up system to a specific service, and I don't want to request credentials from the user, so I guess csrf \\ jwt is not going to work.

Is there anyway to block all http requests from origins other than the client? right now, there is a chance someone will just use Postman and make requests to my server, for example creating user with just an email.

I tried using private API Gateway, but I couldn't find a way to let the client make requests successfully. I thought about encrypting the http requests payload, but I didn't find anyway to store a private key where it is not visible for anyone through the browser...

2 answers

solution1
 1  2020-02-02 14:46:54

You cannot block all the HTTP requests but surely can reject by adding a middleware

app.use((req, res, next) => {
  if(req.protocol === 'http' && req.hostname!== <client domain>){
    return res.sendStatus(403);
  } next();
})

solution2
 1 ACCPTED  2020-02-02 14:59:45

The origin is just an HTTP header that someone could set, ie "spoof", in their Postman requests. You can check the origin to block random scanner bots, but it isn't going to block anyone that is determined. So please don't confuse this as actual security. You could do this with AWS Web Application Firewall attached to your EB load balancer, or just adding a check in your express middleware as in the other answer.

Regarding private API Gateway, that would never work in this scenario, that is only for resources inside a VPC network, and your React app is running in people's web browsers on the public Internet.

Regarding someone creating a user account "with just an email" that is on you to handle, you should be completely validating the request on the server side, with the knowledge that the request may have come from someone using a tool like Postman since there is no way to totally prevent that in your scenario.

If you want to use API Gateway for this you could try implementing request validation there. You could also attach a Web Application Firewall to the API Gateway. I believe you could also do the origin header check as part of an API Gateway request validator.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS API Gateway - Elastic Beanstalk - Restricted Access Using S3 as static web page and EC2 as REST API for it together? (AWS) how to properly access AWS Api Gateway from Node Web application Get object from S3 in AWS Lambda function and send to Api Gateway Uploading Image from AWS Lambda to S3 via API Gateway in Binary format Upload image on AWS S3 through API Gateway hosted on ElasticBeansStalk AWS API Gateway and Lambda to upload and download image to s3 AWS S3 download audio file via API Gateway AWS s3 gateway with minio Surfacing query results from AWS RDS to public web page using Lambda, API Gateway and HTTP requests
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM