Complex Regex Pattern as Authentication Key
System Overview:
You have three components under your control:
- A relay server (public-facing, CDN-proxied).
- A web server that dynamically generates frontend code (HTML/JS).
- A frontend that embeds JavaScript (from the web server) to fetch data from the relay server.
Problem:
Malicious users can:
- Discover your relay server’s public domain.
- Tamper with the frontend’s embedded JavaScript (e.g., modifying API calls or parameters).
- Spam/abuse the relay server directly with unauthorized requests.
Goal:
Ensure the relay server only processes requests from your unmodified frontend code, while blocking requests from altered or unauthorized clients.
Preferability: Relay server origin never hit malicious request since it's protected by CDN proxy.
Here is my hypothetical solution:
In the CDN service, there is a service to block based on url query. One of many options, offering condition based on regex pattern. If matched, then forward the request to relay server, otherwise block.
So I'm thinking whether a complex regex pattern can be used as a key for data authenticity. This regex pattern will be informed to web server so that it can create string that always matched with the condition.
Then the CDN service check the regex pattern, with this attacker couldn't easility to hit the relay server. It's already blocked by CDN.
So, is it valid to use complex regex pattern as an authentication key?
