Hi All,
Is there anyway in ApiGee to allow API call access only from specific domain? For example, I want ApiGee call to be triggered to Targeted API only if the request is made from www.example.com (or) Host ip address of www.example.com. Is it possible?
You can use access control policy to achieve this. Here is the sample documentation to do this: http://apigee.com/docs/api-services/reference/access-control-policy
You can check the origin of request using request headers ârefererâ HTTP_referer and implement a fault rule based on request header ârefererâ parameter. Does that solve your use case ?
Or, You can use Access Control Policy that restricts based on ip.
Can you please elaborate the usecase? basically it will help us understand the root problem you are trying to solve.
I have got an API licence from Support third party. They have given us the API Key and other stuffs. We are using jQuery to access the Rest Api(Third Party). I have included the standard Api key and other stuffs inside ApiGee using Assign Message Proxy which is working perfectly. And now, I want the ApiGee Proxy Api to accept my Rest Api call only it comes from www.example.com or 11.21.22.55 ip address⌠Hope it is clear.
I suggest exploring Developer Apps and API Product support of Apigee to segregate users rather than IP/domain name based restrictions. Let me know that approach helps.
Iâd read the âHostâ header value and put a RaiseFault policy if value is invalid. Host header value is automatically put into a variable called request.header.Host for you so doing this should be fine:
<Step>
<Condition>request.header.Host != "google.com"</Condition>
<Name>RaiseFault.RequestFromInvalidDomain</Name>
</Step>
But, the Access Control Policy checks only the Client IP address. I want it to check the requesting Domain (or) Domain IP address. For example, the API calling script(written in php or jquery(ajax)) is in www.example.com domain, I want ApiGee if the request is coming from www.example.com and accept it and deny the request if it is coming from www.notexample.com
@Archendra Yadav - are you sure access control policy provide domain name validation?
Great! Can you explain about it more. How to read âHostâ header value and put it in RaiseFault policy?
@Ozan Seyman We donât support the domain name validation using access control policy.
You can read the Host header value using this variable: request.header.Host. Itâs value will be the domain name (like google.com in above example).
Once the condition is true (see example above), then you can return a fault response back to the client using RaiseFault policy (http://apigee.com/docs/api-services/reference/raise-fault-policy)
Thank you 
Is it possible to print ârequest.header.Hostâ anywhere in order to see the exact value. Why I am asking is, We have not set up domain yet, we are currently working using server IP address. Need to check if I can get the Host IP address.
Sure - you can see it by running a trace and looking at clientâs request.
Login to enterprise.apigee.com
Pick your API, jump to trace view and start trace
Execute API call and look at the request headers by clicking on the first circle on trace (see the screenshot below - mine is oseymen-test.apigee.com)
Thanks for the screenshot, Ozan . I implemented the way you said. But, As my proxy api is âvenkateshrajavetrivel-test.apigee.netâ, Iâm getting Host name as the same âvenkateshrajavetrivel-test.apigee.netâ when I trigger the call so, this also fials in my case 
Added the screenshot below
I guess I misunderstood your requirements in that case. venkateshrajavetrivel-test.apigee.net is the domain name that is being requested so request.header.Host is showing that value.
What were you expecting to get in the host header?
Yeah. My requirement is, I am shooting http://venkateshrajavetrivel-test.apigee.net/xxx/yyy Rest Api in jQuery ajax call in my domain called www.example.com.
If anyone uses the same http://venkateshrajavetrivel-test.apigee.net/xxx/yyy in their site also, data will be inserted Spams as everyone can use the API.
So, I want the request to be made only if it comes from www.example.com and not from other domains. Is it possible?
You can filter the origin domain in a JS call using CORS origin header.
The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser. This happens in preflight (OPTIONS) call before the real API call happens.
You should be able to configure Apigee to send correct Origin header back (www.example.com) so that no other domains can do a JS call from any other domain.
http://stackoverflow.com/questions/10636611/how-does-access-control-allow-origin-header-work
But your API is still open for anyone else using an api client (like curl) without using JS. So while you are preventing access from other JS clients, your API is still wide open for any other client type.
Perhaps a proper security measure (OAuth perhaps?) is better suited for this?
