Skip to main content

Security Rules

Introduction

You may want to restrict access for specific authentications, for example, allow a list of IP ranges only. Every authentication mode has common configurations of security rules to harden API securities such as:

  • IP Allow List.
  • Header validations.

IP Allow List

How it works

RelyAuth finds client IPs from request headers and validates it with the allow list in the configuration. You can also configure explicit header names if they are custom headers.

Default IP Headers list
CF-Connecting-IP
True-Client-IP
X-Real-IP
X-Forwarded-For
Make sure IP headers exist

IP headers may be discarded by the gateway, proxy. You should check the docs to know the exact headers. If you use Hasura auth webhook, you should configure the POST method and forward IP headers.

Configuration

In the authentication definition, add the allowedIPs setting in the securityRules object.

version: v1
kind: RelyAuth
definition:
  modes:
    - mode: apiKey
      # ...
      securityRules:
        allowedIPs:
          include:
            value:
              - "192.168.0.1"
              - "192.168.1.0/24"
          exclude:
            env: EXCLUDE_IPS
  • include: list of IP ranges that are allowed to authenticate.
  • exclude: list of IP ranges that are banned from this authentication mode.

Both fields accept an array of IP string values or an environment variable. The format of environment variables are comma-separated string, for example, 192.168.0.1,192.168.0.2.

Header Validations

How it works

You can set extra rules to validate non-auth headers, such as Origin or User-Agent.

Use POST method

You should configure the POST method in the webhook mode and forward desired headers. Hasura engines ignore common headers to avoid overlapping the webhook request.

Configuration

In the authentication definition, add the headerRules setting in the securityRules object. This setting is an object with keys are header names.

version: v1
kind: RelyAuth
definition:
  modes:
    - mode: apiKey
      # ...
      securityRules:
        headerRules:
          origin:
            include:
              value:
                - localhost
                - ^https://example.com$
            exclude:
              env: EXCLUDE_ORIGINS
  • include: list of header values that are allowed to authenticate.
  • exclude: list of header values that are banned from this authentication mode.

Both fields accept an array of regular expression string values or an environment variable. The format of environment variables are comma-separated string, for example, localhost,https://example.com.