I deployed a REST API on Heroku, but it accepts direct requests without a key. How can I restrict access solely to RapidAPI’s requests?
I had a similar need to restrict access to our publicly hosted API while still allowing a select set of external partners to connect. In our scenario, we implemented middleware that specifically checked for a custom token provided by the trusted intermediary service. This token was unique and not disclosed publicly, making it an effective gatekeeper. In addition, verifying signature integrity on each request helped to flag any potential tampering. This approach required careful management of tokens and updating them if needed, but the added security advantage made it worth the extra effort.
i added a custom middleware that checks for a specific rapidapi header, so if the header isnt preset the request gets blocked. it’s not 100% foolproof but works well when combined with signature checks.
I encountered a similar situation last year when I needed to ensure my API was only accessed through a specific intermediary. In my case, I added a middleware function that verified a unique header, one that was predefined by RapidAPI, thus filtering out requests without proper authentication. Additionally, combining this with IP whitelisting for RapidAPI’s known inbound IP ranges provided an extra layer of security. This method not only restricted access but also allowed clear logging and tracking of incoming requests to identify any misdirection attempts.