'Restrict Laravel API access to given frontend(s) only
I'm using Laravel as API with Passport and Password Grant Token.
When no user is logged in, frontends still needs to access API routes to get misc data or to register a user. How should I protect these routes, used by a given frontend (set in api.php), to be only accessible by a frontend ?
Solution 1:[1]
You can restrict access to your API in the cors.php configuration file. You can set which domains are allowed to access your API in the allowed_origins header. It's a very easy way to achieve this without much hassle.
Solution 2:[2]
This really depends on how you are accessing the API. If you've created an app to access the API, for example, it would be impossible to truly restrict access to known domains as the app is usually served from a local IP address.
If you are accessing the API through your website, it would be wise to follow @tamrat's answer.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | tamrat |
| Solution 2 | Supreme Dolphin |