For one of my project, I needed to host an API service on the RapidAPI platform. In order to make sure that all the requests to the application are routed via RapidAPI I needed to check special header sent by RapidAPI.
RapidAPI forwards each valid request to the configured server, but injects additional header X-RapidAPI-Proxy-Secret
. While a hacker may also send the same header, the value of this header will be only known to RapidAPI platform and your app.
I deployed the server on heroku, and defined an environment variable
PROXY_SECRET
which I check against the one sent with the request.
Sometimes I need to test the server directly, in which case I simply do not set this variable (like on my local machine) and this check is bypassed.
Code
import os
from starlette.requests import Request
from starlette.responses import PlainTextResponse
app = FastAPI()
@app.middleware("http")
async def check_rapidAPI_proxy_header(request: Request, call_next):
# Check if server knows about valid "secret"
secret_header = os.environ.get("PROXY_SECRET", None)
if secret_header:
headers = request.headers
# If the header is missing, or does not match expected value
# Reject the request altogether
if (
"X-RapidAPI-Proxy-Secret" not in headers
or headers["X-RapidAPI-Proxy-Secret"] != secret_header
):
return PlainTextResponse(
"Direct access to the API not allowed", status_code=403
)
response = await call_next(request)
return response
Resources
- Uvcorn's ProxyMiddleWare - This is related but was not directly useful for me.
- FastAPI middleware documentation
- RapidAPI Proxy Secret
Top comments (0)