Raunak Gupta
Jul 28, 2017, 12:39:06 PM7/28/17
to Google App Engine
**Hoping to get some insights from the community. **
With a Google Endpoint version 2 app (Java 8) deployed on GAE, the project becomes available under the url <project-name>.appspot.com.
I had few questions around deployment and security:
- The URL <project-name>.appspot.com is accessible by everyone by default. How do I restrict it so only that Endpoint only responds to requests coming from my domain or my sub-domain.
- How do you go about deployment such that you have a staging environment and a production environment
Many thanks for your time responding to this.
Yannick (Cloud Platform Support)
Jul 28, 2017, 3:28:58 PM7/28/17
to Google App Engine
Hello, welcome to the forums.
1) You can choose which URLs you want to restrict in your Java application using security constraints. That way only someone logged in as a developer or your application itself can access that endpoint.
2) There are many ways to implement having a staging and production environment. You could use a separate service as your staging environment. Several App Engine services such as Datastore will also let you use namespaces to keep the data of your environment separates. Finally you could simply create a different cloud project and use that as your staging environment.
I hope this helps. Let me know if I can clarify anything for you.
Raunak Gupta
Jul 28, 2017, 8:12:05 PM7/28/17
to Google App Engine
Hi Yannick,
Namespaces make sense for various environments - Prod / Stage, etc.
I'm not 100% clear on the part where I restrict Google Endpoint to serve only the requests coming from domain.com. The thing I am trying to avoid is for "bad guys" calling my API from their machines. I can add client API keys to my Endpoint, but these keys can be easily obtained by looking at the HTML. I hope you see what my concern is here.
Yannick (Cloud Platform Support)
Jul 31, 2017, 12:06:38 PM7/31/17
to Google App Engine
If you want to restrict access to your endpoint using an API key you should not have to worry about clients. You say you only want to server requests from a certain domain (eg: domain.com) correct? In that case users of that domain would make requests to it, and the server of domain.com would be the one to use its API key to call your Endpoint. This way users of domain.com are never in possession of your API key.
jans...@gmail.com
Apr 29, 2019, 11:24:52 AM4/29/19
to Google App Engine
Endpoint Protection offers security management which includes adequate securing list of endpoints that includes laptops, smartphones, desktops and other Internet of things. https://360.comodo.com/security-solutions/endpoint-protection/
Serhii Diukarev
Mar 18, 2020, 6:16:45 AM3/18/20
to Google App Engine
And how can I configure the same (security constraints) for Nodejs? Couldn't find the solution yet...
noverlyjoseph
Mar 18, 2020, 3:01:46 PM3/18/20
to Google App Engine
You could use Firebase[1] with App Engine to control who and what have access and where on your application.
Or you could control the access of your app using the different role available for App Engine[2]
[1] https://cloud.google.com/appengine/docs/standard/python/authenticating-users-firebase-appengine
[2] https://cloud.google.com/appengine/docs/standard/nodejs/roles
Or you could control the access of your app using the different role available for App Engine[2]
[1] https://cloud.google.com/appengine/docs/standard/python/authenticating-users-firebase-appengine
[2] https://cloud.google.com/appengine/docs/standard/nodejs/roles
Reply all
Reply to author
Forward
0 new messages