I am currently working on a paid library and am responsible for implementing request filtering. The library restricts requests to only allow those with a valid license key used from a registered domain or localhost. For example, a request from localhost to localhost:8080 is allowed.
Currently, I am filtering requests by checking whether the IP, HTTP headers (Referer, Origin, Remote Addr, Remote Host), and the IP in X-Forwarded-For are either localhost or a registered domain. However, I am concerned that someone who hasn't purchased a license could use a reverse proxy to modify all the request headers and IP to appear as localhost and then send the request to our server. I’m unsure how to effectively filter out these types of requests.
I have been inspecting IPs and HTTP headers to ensure that the requests come from authorized sources, but I am struggling to prevent requests where the headers are manipulated via a reverse proxy.
Like you said, anyone can put a reverse proxy between them and your API and tamper with the HTTP headers. If you want to be absolutely sure a request is originating from a legitimate source, you're going to need something more.
Here are some of the things you could do: