Webstudio
Log in

Join the Webstudio community

Updated 7 months ago

Help Request - API and Dynamic IPs

At a glance

The community member is using an API to display reviews on their Webstudio site and needs to restrict access to the API for security reasons. However, they've noticed that the IP address used by Webstudio for fetch requests changes regularly, which is causing issues. The community members discuss various solutions, such as restricting the API by IP address, which may not be reliable due to dynamic IP addresses, or setting a maximum billing amount threshold on the API key as a safety measure. The consensus seems to be that restricting by IP address is not a recommended practice, and implementing a quota or billing threshold may be a better approach to protect the API key.

Useful resources
MMr Bean
Hello everyone,

I'm currently using an API to display reviews on my Webstudio site. For security reasons, I need to restrict access to my API to specific IP addresses. However, I've noticed that the IP address used by Webstudio for fetch requests seems to change regularly.

As a result, I'm stuck. Does anyone have a solution to manage this problem of dynamic IP addresses with Webstudio and APIs?

Thanks in advance for your help!
B
M
J
19 comments
BBogdan
Cloudflare is distributed edge network. There is no static ip there. You need to host website on your own. And api still won't work in builder.
BBogdan
Why do you need to restrict by ip? Not very good practice these days.
MMr Bean
You don't think that an unrestricted API key could allow malicious users to get hold of it and use it? I don't know what the standard is, I have played very little with the Google API keys
MMr Bean
You don't put any restrictions?
JJohn Siciliano
Pretty sure you can restrict Google API by domain which is a good idea
MMr Bean
@John Siciliano No, unfortunately I did a lot of research on this subject and for the Google Maps "Place View" API, it does not work. You must use IP addresses
(I also asked Google Cloud Console support)
MMr Bean
That's why I'm asking the question. But as explained, I'm not an expert in Google APIs.

My only fear is if this key gets stolen.
JJohn Siciliano
Are you using it on the backend in resources or the frontend?
MMr Bean
Attachment
image.png
MMr Bean
On the other hand, I manage to make the API request, it's just that after a few minutes it no longer works because the IP has changed.
JJohn Siciliano
That's backend. You're fine. As a safety measure just to be sure, place a maximum billing amount threshold on the API key
MMr Bean
Hmm I don't know how to do this yet...
But this means that we cannot protect the API by IP... 😭
JJohn Siciliano
Somehwere in billing you can say max amount. Even if you did restrict the key, thats not protecting you from mistakes on your side.. what if you implement some infinite redirect and it calls it many times?
JJohn Siciliano
Technically, you can restrict by IP. I think this is the IP you'd want but I personally wouldn't do this https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#cf-connecting-ip-in-worker-subrequests
MMr Bean
Oh ok, but why wouldn't you? Sorry if my question seems stupid
JJohn Siciliano
heres info about quotas https://developers.google.com/maps/documentation/places/web-service/usage-and-billing#set-caps
JJohn Siciliano
Because IPs changes, our infrastructure can change, and im not confident in the IP to block. It's also not needed if you implement a quota as you'll be protected in the very unlikely event your key is leaked
MMr Bean
Thanks πŸ‘
MMr Bean
Hum Ok I understand !
Thanks y very much about yr answer !
Add a reply
Sign up and join the conversation on Discord