Hacker News new | past | comments | ask | show | jobs | submit login

How do you prevent people proxying your API via a node service?

This is something I could never get my head around with CORS - what's the point of whitelisting origins if getting around the whitelist is nothing more than an inconvenience?

CORS is mostly used to prevent attacks from a browser script on a non-whitelisted website (CSRF etc.).

To prevent someone abusing your API otherwise, use an authentication method.

The user is still protected in that case.

If you create a proxy for foo.com, your javascript can't get the browser to send the user's cookies for foo.com to your proxy.

It's not free to run a proxy like that.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact