Securing Your Laravel API: Restricting Access to a Single Application Domain

Securing Your Laravel API: Restricting Access to a Single Application Domain

Prevent Other Application To Call Your REST API in Laravel

In today's interconnected world, building secure APIs is of paramount importance. As a Laravel developer, you may have implemented an API that needs to be accessed only by a specific application or a trusted set of domains. Restricting access to your Laravel API ensures that it is used exclusively by authorized clients, minimizing the risk of unauthorized access or abuse.

In this article, we will explore a practical approach to securing your Laravel API by restricting access to a single application domain. By implementing this restriction, you can ensure that only requests originating from the designated domain are allowed to interact with your API endpoints, providing an additional layer of security to your application.

We will delve into the step-by-step process of achieving this goal, covering essential concepts and techniques along the way. You will learn how to leverage Laravel's middleware functionality to intercept incoming requests, validate the origin domain, and respond accordingly. By the end of this article, you will have a solid understanding of how to implement domain-based access restrictions in your Laravel API.

Let's get started on the journey to fortifying your Laravel API and ensuring that only authorized applications with a specific domain, such as "mydomain.xyz," can access it.

To restrict access to your Laravel API so that it can only be accessed from a specific application with the domain "mydomain.xyz" you can use the Laravel middleware to check the origin of the incoming request.

Here's an example of how you can achieve this:

  1. Create a new middleware using the following command:
php artisan make:middleware RestrictByDomain
  1. Open the newly created middleware file app/Http/Middleware/RestrictByDomain.php and replace the contents with the following code:

     <?php
    
     namespace App\Http\Middleware;
    
     use Closure;
    
     class RestrictByDomain
     {
         public function handle($request, Closure $next)
         {
             // Check if the request originated from the allowed domain
             if ($request->getHost() !== 'mydomain.xyz') {
                 return response('Unauthorized.', 401);
             }
    
             return $next($request);
         }
     }
    
  1. Register the middleware in the $middlewarearray located in the app/Http/Kernel.php file. Add the following line to the $middleware array:

     \App\Http\Middleware\RestrictByDomain::class,
    
  2. Apply the middleware to the desired routes in your routes/api.php file or any other route file where your API routes are defined.

     Route::middleware('RestrictByDomain')->group(function () {
         // Your restricted routes here
     });
    

With this setup, any requests to your API that do not originate from the mydomain.xyz domain will receive a 401 Unauthorized response.

Only requests coming from the allowed domain will be allowed to access the restricted API routes.