Limit HTTP access using CORS or secret key? #372
-
|
Is this possible? I saw on this answer on pocketbase: pocketbase/pocketbase#606 (comment) A secret key would be preferred so that I can limit access to my Pockethost instance via server-side requests. While it's super easy for prototyping, there's a non-negligible class of website projects that don't want to allow public access to their database. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 6 replies
-
|
Right, CORS is no good for that. You can accomplish a secret key using the PocketBase JS hooks custom middleware https://pocketbase.io/docs/js-routing/#custom-middlewares We are also considering adding an IP whitelisting feature, would that be useful for you? |
Beta Was this translation helpful? Give feedback.
-
|
Host headers cannot be trusted, so trusting an IP address from a host header would not be secure anyway. However, in the case of cloudflare, they actually do provide a list of IP addresses and your origin can block all requests not originating from their IP address list. Pockethost does this. IP CIDR |
Beta Was this translation helpful? Give feedback.
-
|
Whitelisting an IP block doesn't necessarily add security either, though I can't speak to Cloudflare specifically. In the case of Heroku, your application could be provisioned with any IP address in a given region which means you'd possibly have to whitelist the whole region no? In that case, anyone who wanted access could just launch a server in the same AWS region and fire off requests. I'd call this an edge case. But if someone is using Pockethost for managed db services, there's a high probability they're using managed app hosting services as well. If IP whitelisting were offered to a Pockethost user and they weren't doing their homework on their hosting providers (which is very likely) they'd be given a false sense of security by adding IP whitelist/blacklist. Your hook recommendation sounds like the best solution. Maybe a guide would serve better than a new feature here for newcomers. |
Beta Was this translation helpful? Give feedback.
-
|
Cloudflare has static IPs. https://www.cloudflare.com/ips/ |
Beta Was this translation helpful? Give feedback.
-
This is probably true. There are some users who wish to run private PocketHost backends and I think a secret key header would work for just about every use case. Care to draft some docs and leave them here or in a PR? |
Beta Was this translation helpful? Give feedback.
-
|
Happy to do it! Will make some time for it this week. |
Beta Was this translation helpful? Give feedback.
Right, CORS is no good for that.
You can accomplish a secret key using the PocketBase JS hooks custom middleware https://pocketbase.io/docs/js-routing/#custom-middlewares
We are also considering adding an IP whitelisting feature, would that be useful for you?