RankFloRankFlo
5 min read

API Security for Headless CMS: Authentication, Rate Limiting, CORS

Your content API is a public endpoint. Secure it with API keys, rate limiting, CORS headers, and SSRF protection.

R

ruben

Authentication

  • API keys — SHA256-hashed, stored securely. Prefix with sk_live_ for easy identification.
  • Bearer tokensAuthorization: Bearer sk_live_xxx header.
  • Per-key permissions — Read-only vs read-write access per key.

Rate Limiting

Sliding window rate limiting per API key: 120 req/min for free tier, 300+ for paid. Return 429 Too Many Requests with Retry-After header.

CORS

Set Access-Control-Allow-Origin to your frontend domain only. Never use * for authenticated endpoints.

SSRF Protection

If your API fetches external URLs (webhooks, media imports), block private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and .local/.internal hostnames.

← Back to blog