The APIs under ‘/node’ is used only for registered validators, so how about restricting access only from them?
If restricted, we can get some benefits from it such as, most of APIs under ‘/node’ use heavily resources, especially storage, so we can prevent abnormal requests from anonymous clients.
We can simply check whether requests is from known validators or not. It’s not to use remote address of request :)
X-SEBAK-VALIDATOR: <public address>
X-SEBAK-SIGNATURE: <signature of (‘Date’ header + receiving node's public address)>
‘Date’ header will be updated in every request and if we can limit the time difference, we also can prevent reusing X-SEBAK-SIGNATURE.
My only comment so far is that the signature should be a hash of the date + the receiving node's public key, otherwise there's an obvious vector for replay attacks.
This will be controversial :)
The APIs under ‘/node’ is used only for registered validators, so how about restricting access only from them?
If restricted, we can get some benefits from it such as, most of APIs under ‘/node’ use heavily resources, especially storage, so we can prevent abnormal requests from anonymous clients.
We can simply check whether requests is from known validators or not. It’s not to use remote address of request :)
‘Date’ header will be updated in every request and if we can limit the time difference, we also can prevent reusing
X-SEBAK-SIGNATURE
.