Sign in
Log inSign up
Mauricio Robayo

38 likes

·

5.3K reads

10 comments

Micah Lindley
Micah Lindley
Feb 14, 2020

This article is a godsend! I’ve been struggling with this and actually just published an article detailing that I’m going to have to rebuild all of my web apps because of security issues. But now I don’t! Can’t thank you enough- thanks for the great article!

4
·
George Benjamin
George Benjamin
Feb 14, 2020

Great article!

1
·
Gafar Popoola
Gafar Popoola
Feb 16, 2020

Great article. This solution only partly addresses the problem from the browser's point of view. The proxy server can still be tricked by spoofing the origin header using a tool like curl. There's really no way your proxy server would differentiate a spoofed request from a request that originated from the browser.

1
·
·2 replies
Mauricio Robayo
Mauricio Robayo
Author
·Feb 18, 2020

You are 100% right: This only addresses the problem from the browser's point of view. Thanks for the feedback and for bringing up the issue.

·
Pankaj C.
Pankaj C.
Feb 22, 2020

What can be a solution for this problem?

·
Nora Brown
Nora Brown
Mar 28, 2020

This article was quite helpful. I had to make a change to api-key-proxy-server to get it to work. Please see this Github issue .

1
·
·1 reply
Mauricio Robayo
Mauricio Robayo
Author
·Mar 29, 2020

Thanks for taking the time to report the issue! Fixed.

·
Zlati Pehlivanov
Zlati Pehlivanov
Feb 15, 2020

That all sounds right, for web at least, but most of the services that require api key, actually require from you to enter a domain to which this api key is given and for mobiles sha1 of your app at least on android. So requests from different domain and from different mobile app will fail. How this proxy makes things better, what about you will have to pay more for that proxy to work non stop for everybody. Why implementing the same authorization twice?

·
·1 reply
Mauricio Robayo
Mauricio Robayo
Author
·Feb 16, 2020

Hi, you are right! That's not the use case for what's described. I don't see why would you implement a proxy server if the API service you are using handles credentials authorization with allowed domains. That's stated on the article.

·
Ngwube Precious
Ngwube Precious
Nov 28, 2020

nice article, really helped me, but I couldn't host the proxy server on heroku, keeps throwing this error

src/config.ts(27,7): error TS2322: Type '{ route: string; allowedMethods: string[]; target: string; headers: { Accept: string; Authorization: string; }; body: string; }' is not assignable to type 'Proxy'

I don't know if anybody, has the same error and I am also trying to work on Github graphql API, that's why I added body

·