Allow app engine access only from a specific website?

[Mapperkids]

Hi,

We want to set up our app engine to only allow access from specific public domain like www.whatever.com ( it is an external public available website), how can I do that which is not by IP range level so I can't do it using the app engine firewall setting.

Our app is written in Python and the app engine services are in both standard / flex environment.

The flow will be like someone clicking a link on the www.whatever.com and it will redirect to our app front end to show a page, but we would like to make sure the request is come from www.whatever.com otherwise, should give them like 500 server error or something.

Any ideas how can I do that?

Thanks in advance.

John

[Vitaly Bogomolov]

Hi John.

For example, you can create a set of unique one-time links to your-app.appspot.com for each page view on www.whatever.com

The request to create this set must go through a private communication channel between www.whatever.com and your-app.appspot.com

In general, this task is not directly related to appengine. More likely something like https://www.google.com/search?q=how+to+implement+weblink+shortener

WBR, Vitaly

[Amit Sinha]

Hello John,

In GCP, you can restrict the access using App Engine firewall rules. As it accepts only the IP range, this might not be useful in your case. However, I think you can configure the app's landing page simply perform a request check and make sure it's from that domain [1] before allowing it (otherwise redirect to an error page).  Alternatively, it might be possible to set some sort of authentication string in a post payload to determine eligibility (similarly if the string is not there, simply redirect to error page). I hope it helps. 

[1]  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer