How to prevent connections from another ionic apps in my node.js server

I have an Ionic APP that connect to my api in Node.js. In node.js I set the cors to receive connections from localhost, capacitor: // localhost (iOS) or http: // localhost (Android), the problem is that every app can use my API from localhost because cors configuration is available for all localhost. My question is, How I can do to allow connections in my api only from my Ionic app?

For example, if we have a Ionic App named X that use an API in Node.js to login users, and in this node.js server the cors allow connections from localhost, so if another person create a new App named X2, this App can use the same api to login users, and this is a security risk. I need allow connections only from my Ionic APP.

Is possible to get the appId(capacitor config) when node.js received a call from the api?

I think you need to work on some sort of server based secret in order to really avoid this to happen.

So login/password stuff or anything more fancier and reliable than that.

Otherwise, you may want to setup a dev server which runs a more wide policy compared to your production api, not having the cors enabled.

Maybe there are more things, but then you get into lots of coding and networking thingies.

As usual, I agree with @Tommertom.

What you ask for is theoretically impossible for anybody except you to implement. Ionic can’t do it, Angular can’t do it, and your httpd can’t do it.

What I do is to have my backends issue JWTs upon successful authentication. I have an HttpInterceptor that adds them to all secured requests, so the rest of the code that talks to the network doesn’t have to care about the details.

Even your final suggestion is pointless, because anybody could spoof the app id. Fundamentally, you have to think of Ionic apps as operating in hostile environments, because you as the author have zero control over how your code is run on devices that aren’t under your physical control. Anybody can take your app binary, hack it up, and run it under an emulator. You can’t hardcode secrets in there, no matter how hard you try.


On top of all the things mentioned by Tommertom and rapropos, CORS is not a security feature of your server, it’s a browser restriction, so disabling CORS on your server or limiting what origins can access it doesn’t make it more secure.

Native connections will always be able to connect to your server, no matter what your CORS config is.
So any app using @capacitor-community/http plugin or any other plugin that uses native connections will be able to access your server. And also any computer using native connections (postman or similar tools, terminal commands such as wget or curl, any desktop app with a http library, etc.)