Protecting API routes

[giedrius-timinskis]

Hello,

First of all I'd like to thank everybody involved in the Nextjs ecosystem. Both the framework, and the community surrounding it have been absolutely wonderful.

I have some of questions about protecting the API routes:
Is there a way to make sure the requests to /api/* are coming from my frontend? I've tried using https://github.com/zeit/next.js/tree/canary/examples/api-routes-cors , but certain requests like GET or HTML form submit POST will still go through (as per CORS specification).

What are my options to make sure that it is my frontend, and not some malicious 3rd party calling the API route?

My application uses cookie based sessions. I know I could bail out early in getStaticProps, but that doesn't the /api/* from being hit directly. Do I need to validate the session as middleware in every API route as well?

I really appreciate your answers, thank you!

[rafaelalmeidatk]

Is there a way to make sure the requests to /api/* are coming from my frontend?

Nope, anyone can make requests to your endpoint. CORS will help you if some other web app tries to make requests to your endpoint, but it won't help if the request is being executed outside the browser.

If only certain users can access the data that you return from your API routes then yes, you need to check the session in every request to make sure the user has permission to see the content.

If you want to limit the number of times your API route is "hit", you might want to give a look at rate limiting but I don't think it is your issue now