Is it possible restrict API calls : Forums : PythonAnywhere

Is it possible restrict API calls

Hi guys, I have two pages

www.example.com (frontend)
www.api-example.com (backend)

Do you know if it is possible restrict the calls to my backend. I mean all the request must come from www.example.com otherwise they must be denied. What i dont want is that someone with Insomia or Postman send reqeust to the api all the time.

I am using Django-Rest-framework and i will have the backend in pythonanywhere. What woudl like is that my page www.api-exampe.com cannot be accesible unless that be through www.example.com.

Do you know how to do in pythonanywhere?

mazziitoozzb | 16 posts | Nov. 23, 2020, 8:29 p.m. | permalink

You won't be able to completely eliminate hits to your endpoints, but you can make it impossible to use by a third party js code running on the other website in the browser. You can enable some form of authentication (session or token-based). You can also set up CORS and CSRF protection. See https://www.django-rest-framework.org/topics/ajax-csrf-cors/

You can make life more difficult for users of Postman and similar tools by enabling a rate limit. See https://www.django-rest-framework.org/api-guide/throttling/

fjl | 4614 posts | PythonAnywhere staff | Nov. 24, 2020, 10:52 a.m. | permalink

thanks so much :)

mazziitoozzb | 16 posts | Nov. 24, 2020, 1:53 p.m. | permalink