Can I use GitHub GraphQL API from the browser safely? - github-api

Can I use GitHub GraphQL API from the browser?
In that case, can I set HTTP referrers restriction to prevent abuse?

Related

How to prevent others from using my REST API?

I've developed simple REST API using a expressJs. I'm using React as my client side application. So the problem is anyone can see my API endpoints because of react app is in client side. So they will also able to make request and fetch data from my REST API. (May be they will build their own client side apps using my API.) I've seen some question about this and couldn't find any comprehensive answer. How these kind of a security problem should be handled? Is it possible to give the access for API to only my client app? If not how huge brands that using REST API prevent that? (Also I don't have a user authenticating scenario in my product as well. People can just visit and use the website. They don't need to register).
Authentication can be a way but it can be bypassed. Another way is you can create a proxy server which strictly blocks cross origin requests, hence it blocks requests from other domains to make request to your API, and you can make your API call from that proxy server. In this way your API server endpoint will also be not compromised.
If, as you state in your comment, this is about users on your own website being allowed to use your site's API, while disallowing off-site use (e.g. other websites, wget/curl, etc) then you need to make sure to set up proper CORS rules (to disallowed cross-origin use of your API) as well as CSP rules (to prevent user-injected scripts from proxying your API), and you also make sure to only allow API calls from connections that have an active session (so even if you don't want user authentication: use a session managemer so you can tell if someone landed on your site and got a session cookie set before they started calling API endpoints).
Session management and CORS come with express itself (see https://expressjs.com/en/resources/middleware/session.html and https://expressjs.com/en/resources/middleware/cors.html), for CSP, and lots of other security layers like HSTS, XSS filtering, etc, you typically use helmet.

Will keeping mutations involving data creation/modification/deletion in GraphQL server code be a security issue?

I have a public React JS website which makes a request to my Node server using CORS (Only allowing the domain of my website). My website just fetches GraphQL queries from the frontend. But my Node server code do have GraphQL mutations like adding or deleting content. So, does this make my database insecure even though the CORS allows only my website which has no mutations?
The same-origin policy and CORS are only enforced by web browsers, and even then they can be disabled by individual users. You need to implement proper authentication and authorization for your server application in order to prevent unauthorized access to restricted fields like those on your Mutation type or other fields that may contain private or sensitive data that should not be exposed to all users.

Restrict REST API access to only my website

I created MongoDB and Node.js REST API for my website. I am accessing my database data from the API and showing it on my website. I am doing these things locally on localhost.
Now I want to host my REST API. I don't have any idea regarding hosting. If I host my REST API somewhere and start getting data through its endpoints, then anybody can use those endpoints and access my data, but I want to restrict it to my website only. Meaning, that only my website can make requests to that API, no other websites can make a request. If other websites try to access it, it should show an error. How can I achieve this? Can someone please explain me step by step how do I do this?
I think you are referring to CORS. You need to set your API to have a response header like this on all requests:
Access-Control-Allow-Origin: https://yourSiteDomain.com
You can read more about it here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
Other people can still access your API directly though, through postman etc.
What you need is a CSRF(cross site request forgery) token
for node js you can use
csurf : http://expressjs.com/en/resources/middleware/csurf.html
look online on how to implment it

Do I need to use CORS in case of RESTfull API?

I am building a RESTfull API with express.
Is there any cases I might need to plug https://www.npmjs.com/package/cors library you can thing of? For what particular scenarios would you use CORS with RESTfull API ?
You need CORS when the API is accessed from browsers on a website domain that is different from the API domain. So probably, yes you need to support CORS.
You do not need CORS support if the API is not accessed from a browser.
You do not need CORS support if the API is on exactly the same domain (and port) as the website accessing the API.

What clients can / can't access a RESTful web service by default?

I am currently developing an API that will be launched into production in a matter of weeks. I am relatively new to REST, started reading about CORS - and realized that it could impact me.
What conditions will a REST service not be accessible to a client? I have been using sample html/js on the same server, and through Postman - a google chrome addon - to access my API. I have had no issues so far.
When the API goes live, it will be hosted at 'api.myserver.com'. Requests, at the beginning, will come from 'app.myOTHERserver.com'. Will these requests be denied if I do not use a CORS-friendly approach like JSONP or special 'access-control' headers that permit my domain?
What about accessing rest APIs from other non-browser clients? Such as a C# application? Are these requests permitted by default?
Assuming I do need to add 'access-control' headers server-side, to permit the scenario described above when my API goes live, is it better (performance-wise) to let your web server (NGINX in my case) handle the headers, or should I add them through PHP or NodeJS?
This is more about the same-origin policy applied by web browsers than it is about RESTful APIs in general.
If your API is intended to be used by web applications deployed on a different origin host/port than the API, then you have these options:
Respond with appropriate headers that allow for techniques like CORS to work.
Have the web server which serves up your web content (in your example, app.myOTHERserver.com) handle your REST API requests too by proxifying your API requests from the web server through to the API server. For example, you could have your API exposed on your web server under the URL /api, and then it's just a matter of setting up a web proxy configuration that forwards requests under that URL to your API server.
Use JSONP or other techniques.
If your API is going to be used by non-web applications, you have nothing to worry about. This is only a restriction applied by browsers when running JavaScript code to make sure that the user hasn't inadvertently clicked on a phishing link with some hackery in it that tries to send their PayPal password to Pyongyang.
When the API goes live, it will be hosted at 'api.myserver.com'.
Requests, at the beginning, will come from 'app.myOTHERserver.com'.
Will these requests be denied if I do not use a CORS-friendly approach
like JSONP or special 'access-control' headers that permit my domain?
You can specify what clients can access your web service to an extend. Assuming you're using Express: How to allow CORS?

Resources