0

I have some REST API's deployed on api.xyz.com now I wants to allow all API's accessible through Authorized mobile devices and My domain only xyz.com.

If i set allow origin headers to my site then API stops responding to Mobile devices.Please suggest if its possible.

Also when I try to get consumer IP address in REST API call then it always return my API server public IP in $_SERVER[REMOTE_ADDR] instead of client IP address.I also tried to get consumer IP address but no success.

        $ipaddress = '';
        if (getenv('HTTP_CLIENT_IP')) {
            $ipaddress = getenv('HTTP_CLIENT_IP');
        } else if (getenv('HTTP_X_FORWARDED_FOR')) {
            $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
            if (strpos($ipaddress, ',') > 0) {
                $addr = explode(",", $ipaddress);
                $ipaddress = trim($addr[0]);
            }
        } else if (getenv('HTTP_X_FORWARDED')) {
            $ipaddress = getenv('HTTP_X_FORWARDED');
        } else if (getenv('HTTP_FORWARDED_FOR')) {
            $ipaddress = getenv('HTTP_FORWARDED_FOR');
        } else if (getenv('HTTP_FORWARDED')) {
            $ipaddress = getenv('HTTP_FORWARDED');
        } else if (getenv('REMOTE_ADDR')) {
            $ipaddress = getenv('REMOTE_ADDR');
        } else {
            $ipaddress = 'UNKNOWN';
        }

Please suggest why it always give my server public IP even IF i hit api through my machine.

Thanks

Improve this question
1
  • you invariably CAN'T get the user's actual ip address, especially if it's a mobile device. those are almost ALWAYS behind a NAT gateway and the only IP you'll get is the gateway's. Commented Jul 21, 2015 at 14:50

3 Answers 3

Reset to default
1

I would suggest securing your REST API via access tokens. I just did something similar for a REST API I created. There are lots of great articles available for "secure REST API". Below is a link to one I found particularly useful. I highly suggest using HTTPS to help secure your API as well.

https://stormpath.com/blog/secure-your-rest-api-right-way/

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

This is how you normally check for the real visitor IP: 

if (!empty($_SERVER["HTTP_CLIENT_IP"]))
{
 //check for ip from share internet
 $ip = $_SERVER["HTTP_CLIENT_IP"];
}
elseif (!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
{
 // Check for the Proxy User
 $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
}
else
{
 $ip = $_SERVER["REMOTE_ADDR"];
}

// This will print user's real IP Address
// does't matter if user using proxy or not.
echo $ip;

This REST API Authorization & Authentication (web + mobile) might come handy.

Improve this answer

1 Comment

I try setting up header("Access-Control-Allow-Origin : example.com") on my API domain but it still allows when i hit from other origins and return response. Why its not blocking other origins when i allowed only example.com
1

Definitely the way to go is to create Tokens, either Session Tokens or Access Tokens. We used Session Tokens with the WealthEngine API (http://dev.wealthengine.com/api) specifically so that they would timeout. At a recent API event David from ProgrammableWeb had a great demonstration on how easy it is to Sniff Tokens and Secrets from Mobile Apps on the Android platform. This is exactly why you would want those Tokens to expire.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.