How to make sure that only a specific domain can query from your REST api?

Simply define the header in your request, what this does is, it allows requests only from a certain domain, and instantly rejects any other domain.

response.set('Access-Control-Allow-Origin', 'domain.tld');

EDIT: IF you're really keen against web scraping stuff, you could make a function to double check client's origin.

function checkOrigin (origin) {   if (origin === "your.domain.tld") {     return true;   } else {     return false;   }}/* Handling it in response */if (checkOrigin(response.headers.origin)) {  // Let client get the thing from API} else {  response.write("Send them error that they're not allowed to use the API");  response.end();}

Above example should work for the default HTTP/HTTPS module, and should also work for Express, if I'm not mistaken.

EDIT 2: To back my claim up that it should also work for Express, I found this quotation at their documentation;

The req (request) and res (response) are the exact same objects that Node provides, so you can invoke req.pipe(), req.on('data', callback), and anything else you would do without Express involved.

I would recommend using an API key from the client. CORS filters are too easy to circumvent.

A simple approach for securing a How to implement a secure REST API with node.js

Overview from above post:

Because users can CREATE resources (aka POST/PUT actions) you need to secure your api. You can use oauth or you can build your own solution but keep in mind that all the solutions can be broken if the password it's really easy to discover. The basic idea is to authenticate users using the username, password and a token, aka the apitoken. This apitoken can be generated using node-uuid and the password can be hashed using pbkdf2

Then, you need to save the session somewhere. If you save it in memory in a plain object, if you kill the server and reboot it again the session will be destroyed. Also, this is not scalable. If you use haproxy to load balance between machines or if you simply use workers, this session state will be stored in a single process so if the same user is redirected to another process/machine it will need to authenticate again. Therefore you need to store the session in a common place. This is typically done using redis.

When the user is authenticated (username+password+apitoken) generate another token for the session, aka accesstoken. Again, with node-uuid. Send to the user the accesstoken and the userid. The userid (key) and the accesstoken (value) are stored in redis with and expire time, e.g. 1h.

Now, every time the user does any operation using the rest api it will need to send the userid and the accesstoken.