I am facing a strange situation where i couldn't find a proper answer to.
I am using some kind of an API where i can send responses to certain requests from the same root domain.
My api is in a subdomain (https://api.mysite.com)
And there are some client frameworks in PHP
, such as
- mysite.com
- mobile.mysite.com
- admin.mysite.com
I only want this API be accessible from the same root domain. Therefore i added AccessControlAllowOrigin headers which are working quite good.
But the problem is, i also want to make sure that nobody can access to this API, because CORS is browser based, and i can easily access this API from other tools such as POSTMAN.
That is why i added some code to my .htaccess
so that only from the same IP can access my system.
Here is my .htaccess file.
php_flag display_errors on
php_value error_reporting 9999
SetEnvIf Origin "http(s)?://(www\.)?(mysite.com|mobile.mysite.com|admin.mysite.com)$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header merge Vary Origin
RewriteEngine On
RewriteBase /
order allow,deny
deny from all
allow from // MY IP HERE
<RequireAny>
Require ip allow from // MY IP HERE
</RequireAny>
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
# DirectoryIndex none.none
# Options -Indexes
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]
But the problem is the system blocks itself, i mean when i try to access my API with an AJAX Request
, i get en error like this:
Failed to load resource: the server responded with a status of 403 ()
What am i missing.
Thanks.
PS
Require ip allow from // MY IP HERE
flag is not blocking anything at all.