I want to block calls to my Django REST API (www.backend_django.com) from unknown origins, for example, I have a website under the domain "www.example.com" I want to allow only to this site to be able to do request to my API.
In order to do this, I have configured Django-Cors-Headers in the following way:
DEBUG = False
ALLOWED_HOSTS = ["www.backend_django.com", "backend_django.com"]
CORS_ORIGIN_ALLOW_ALL = False
CORS_ORIGIN_WHITELIST = (
'https://backend_django.com',
'https://www.backend_django.com',
'https://example.com',
'https://www.example.com', )
CSRF_TRUSTED_ORIGINS = [
'backend_django.com',
'example.com']
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'social_django.middleware.SocialAuthExceptionMiddleware',
'whitenoise.middleware.WhiteNoiseMiddleware',
]
In order to test it, I have done a call from Postman using my computer and have successfully done a request still to the API.
Did I set up something bad in the settings? How can I archive this?
CORS restrictions won't prevent other hosts from making direct requests to your API.
If you need granular restrictions then you could use something like django-iprestrict.
If you need to restrict the whole backend app it's easier via web server settings .htaccess or similar.