how to allow access to api routes from a dynamic list of known origins

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware

https://nuxt-security.vercel.app/

MIT License

738 stars 56 forks source link

how to allow access to api routes from a dynamic list of known origins #391

Closed nosizejosh closed 3 months ago

nosizejosh commented 3 months ago

Hello, I am new to nuxt-security.

I am writing a set of APIs that I want to block access to all other origins except from a list of known origins. My application is multitenant so only tenants should be able to access this set of APIs. This list will be updated periodically.

How do I go about implementing this as first layer of security?

Thank you.

Baroshem commented 3 months ago

Hey Buddy,

Thanks for asking this question. From your use case, I would go for Cross Origin Resource Sharing (CORS).

https://nuxt-security.vercel.app/documentation/middleware/cors-handler

So something like this:


security: {
    corsHandler: {
      origin: ['allowed-origin-1', 'allowed-origin-2', 'etc']
    }
  }

nosizejosh commented 3 months ago

Thanks for your response.

I implemented this in a middleware rather.

Thanks!