How do I protect my graphql route from getting queried from unknown resources?
I have these options currently:
export const corsOptions = {
origin: ["https://my-website.com", "https://api.my-website.com"],
credentials: true,
}
expressApp.use(cors(corsOptions))
apolloServer.applyMiddleware({expressApp, cors: corsOptions})
I have it deployed on AWS/Fargate.
Problem is I can still query in Postman from my computer.
Note, I will also have a React-native app to connect to this API.
What is the right CORS options for me?
As pointed out in the comments, CORS is only enforced by browsers -- it cannot be used to prevent access to your API from other clients like Postman.
If your API is consumed only by other servers, you can secure it using an API key that can be included in a header or as a URL parameter. API keys can be used to meter and rate-limit consumers of your API as well.
If your API is consumed by a web or native application, using an API key is largely pointless because end users will be able to get a hold of it by either inspecting the source code or sniffing their local traffic. If you require users to login anyway, then you need to just implement the proper authorization mechanism for your queries. If you want some or all of your queries to be accessible without logging in, then your best bet would be to just implement rate-limiting to limit potential abuse.