I know this is might silly questions but how can I
I want to only accept user from our frontend call to backend method and reject any request from other sources.
Others can confirm, but if you want a “quick” feeback, out of the box, I believe this isn’t possible. The request hitting your endpoints contains no trace of the caller other than their principal.
You could maybe switch to an http_request_update API approach, but you’d need to find a way to pass the caller’s identity yourself. I’m not sure it’s worth the effort or cost, and there are probably other pros and cons to consider.
But again, this is just quick feedback—if I’m wrong, I’d be happy to be corrected.
Hmm, I heard that @NathanosDev are working one same thing like you said.
But It would required more work to convert api to using http gateway.
Thanks for helping
It’s not possible to restrict incoming canister/http requests to a particular domain, there might be http headers you can check but those can be spoofed.
You might need a proxy to spoof these headers within a browser context, but even that is relatively straightforward e.g. a CORS proxy is only a few lines to implement.
The primary method to e.g. avoid spam is a captcha prompt during user sign up.
If the concern is regarding another service using your canister implementation for free, make sure that either only your own canisters or authenticated users can call it.
I believe this is achievable. The rationale:
A simpler approach: Implement a Sign-In proxy service between your App and II. This service can:
1. Handle the login flow for your App
2. Generate verifiable proof of the origin domain
3. Provide this proof to your App for backend verification
When calling backend services, your App includes this origin proof for validation.