API Authentication via Proxy

G5 Cyber Security

1 month ago

TL;DR

Secure your API by adding authentication checks for requests coming through a proxy server from your landing page. This guide explains how to use HTTP headers (specifically, a secret token) to verify the source of requests.

Solution Guide

Understand the Problem

Your landing page makes requests to an API. These requests go through a proxy server. Without authentication, anyone could potentially send requests *through* your proxy and access your API as if they were legitimate users from your landing page. We need a way to verify that the request genuinely came from your intended source.

Choose an Authentication Method

We’ll use a simple secret token passed in an HTTP header. This is easy to implement and reasonably secure for this scenario. More complex methods like OAuth 2.0 are overkill unless you have very strict security requirements.

Generate a Secret Token

Create a long, random string of characters. Keep this token confidential – it’s the key to your authentication system. Store it securely on your landing page server (not in client-side code!).

openssl rand -base64 32

Add the Token to Requests from Your Landing Page

Modify your landing page’s API request code to include the secret token in a custom HTTP header. For example, using JavaScript with `fetch`:

const authToken = 'YOUR_SECRET_TOKEN';
fetch('/api/your-endpoint', {
  method: 'POST',
  headers: {
    'X-Auth-Token': authToken,
    // Other headers...
  },
  body: JSON.stringify(data)
});

Replace YOUR_SECRET_TOKEN with the actual token you generated.

Implement Authentication on Your API Server

Modify your API server code to check for the presence and validity of the `X-Auth-Token` header in every request. If the header is missing or contains an incorrect value, reject the request with a 401 Unauthorized error.

Example using Python (Flask):

from flask import Flask, request, abort

app = Flask(__name__)
SECRET_TOKEN = 'YOUR_SECRET_TOKEN'

@app.route('/api/your-endpoint', methods=['POST'])
def your_endpoint():
    auth_token = request.headers.get('X-Auth-Token')
    if auth_token != SECRET_TOKEN:
        abort(401) # Unauthorized
    # Process the request if token is valid...
    return 'Request processed successfully!'

Replace YOUR_SECRET_TOKEN with your actual secret token.

Configure Your Proxy Server

Ensure your proxy server forwards HTTP headers correctly. Most proxies do this by default, but double-check its configuration to make sure it’s not stripping or modifying the `X-Auth-Token` header.

Testing

Valid Request: Send a request from your landing page with the correct token. It should succeed.
Invalid Token: Send a request from your landing page with an incorrect token. It should return a 401 Unauthorized error.
Missing Token: Send a request without the `X-Auth-Token` header. It should also return a 401 Unauthorized error.
Direct Request (Bypass Proxy): Attempt to access the API directly, bypassing the proxy. This *should* fail if your firewall/network is configured correctly and only allows traffic through the proxy.

Security Considerations

Token Rotation: Periodically change your secret token to minimize the impact of a potential compromise.
HTTPS: Always use HTTPS for all communication between your landing page, proxy server, and API server to protect against eavesdropping.
Rate Limiting: Implement rate limiting on your API endpoints to prevent abuse even with valid tokens.