Skip to main content

How to Set Up Referrer Whitelist with QuickNode

Created on
Updated on
Dec 17, 2024

4 min read

Overview

Security is one of the most significant aspects when developing an application. If a resource like an endpoint falls into the hands of an unauthorized individual, it can exhaust your limits and resources. In this guide, we will see how to avoid this and learn how to set up a referrer whitelist on a QuickNode endpoint.

info

The Referrer Whitelist security feature is only available to users on the Growth Plan or above.

What is Referrer Whitelisting?

First, let's clarify what a referrer is. In the HTTP standard, 'referrer' is commonly spelled 'referer.' It is part of the HTTP request header that indicates the origin of a web request, usually pointing to the web page that linked to a requested resource. This information helps servers identify the source of requests.

In the context of QuickNode, referrer whitelisting is a crucial security feature that allows developers building decentralized applications (dApps) to specify which domains are permitted to make requests to their endpoints. Imagine you are developing a dApp that interacts with the blockchain using your QuickNode endpoint. When your codebase is hosted on a platform like GitHub, your active QuickNode endpoint URL might become publicly accessible. If someone obtains this URL, they could make unauthorized calls to your endpoint, resulting in excess usage not initiated by you.

This is where QuickNode's Referrer Whitelist feature becomes valuable. By whitelisting a referrer, you can restrict requests to only those originating from specific domains, rejecting all others. This ensures that only legitimate requests from approved sources are processed by your endpoint.

Implementing referrer whitelisting enhances the security of your applications and helps prevent unauthorized access to your QuickNode endpoints.

How to Set Up a Referrer in QuickNode

Let us have a look at how we can set up a referrer whitelist with QuickNode. First of all, you will need access to an endpoint. If you don't have it already, you can easily sign up with a free QuickNode account here, set up an endpoint.

QuickNode Ethereum Endpoint

After setting up your endpoint, visit the Security section for that endpoint and go to the Referrer section.

Enable referrer whitelist by clicking the referrer toggle. Then, enter the desired hostname or domain you want to whitelist, excluding URL fragments such as #section or /resource, and any user information like username:password. Simply input the domain without including the HTTP/HTTPS protocol. You can check the examples below for guidance:

Correct (✅)Incorrect (❌)
etherflow.quiknode.iohttps://etherflow.quiknode.io/
mysite.example.comhttps://mysite.example.com/#about
app.example.netapp.example.net/resource
docs.yourdomain.orgdocs.yourdomain.org/resource/page

Whitelist Referrer Section

Now, only the requests to your endpoint made directly from https://etherflow.quiknode.io/ will be served. Let's test this!

Calls From a Whitelisted Domain

EtherFlow is a tool that makes it easier to send RPC calls to endpoints. Thus, we will use EtherFlow domain as a whitelisted referrer. If you want to use it as well, feel free to follow the steps below:


  1. Visit EtherFlow.
  2. Enter your endpoint's HTTP Provider URL in the box at the top.
  3. Choose a Web3 library (either Web3.js or Ethers.js).
  4. Select a method from the available options.
  5. Click the Send Request To Node button.

Call From a Whitelisted Domain

As you can see, the endpoint is responding completely fine on that domain now. Let us try to make a cURL call to our endpoint.

cURL Call Without a Referer Header

Open your terminal and run the following command. Do not forget to replace the <YOUR_QUICKNODE_ENDPOINT_URL> placeholder in the CURL request below with the your QuickNode endpoint URL.

cURL Request
curl --location '<YOUR_QUICKNODE_ENDPOINT_URL>' \
--header 'Content-Type: application/json' \
--data '{"method":"eth_blockNumber","params":[],"id":1,"jsonrpc":"2.0"}'

As you can see, the endpoint did not respond and gave an UNAUTHORIZED error. It will only respond to the requests made by the whitelisted referrer.

Call From a Non-Whitelisted Domain

cURL Call With a Referer Header

While using this feature, you must make sure that all the requests your website is sending to the endpoint have the Referer HTTP Header set exactly to what you've whitelisted in the QuickNode UI. For example, if you've added example.com in the QuickNode UI, your HTTP request should have https://example.com as the Referer Header, and if you're using the WSS endpoint the Origin header must be set to exactly what you've whitelisted in the UI.

Let's try to make a cURL call with the referer header to our endpoint.

Open your terminal and run the following command. Do not forget to replace the <YOUR_QUICKNODE_ENDPOINT_URL> placeholder in the CURL request below with your QuickNode endpoint URL. Also, modify the Referer Header with your whitelisted domain.

cURL Request
curl --location '<YOUR_QUICKNODE_ENDPOINT_URL>' \
--header 'Content-Type: application/json' \
--header 'Referer: https://etherflow.quiknode.io' \
--data '{"method":"eth_blockNumber","params":[],"id":1,"jsonrpc":"2.0"}'

As you can see, the endpoint responded without any error.

Call with a Referer Header

This security feature is very important to block unauthorized access to your endpoint. However, it's worth noting that whitelist referrers are not foolproof. If someone has your endpoint URL and knows the whitelisted referrer, they can potentially access your endpoint.

Another notable security feature is the ability to manage authentication tokens. If you suspect that someone has access to your endpoint URL, you can generate a new token and delete the existing one. This action will render the old endpoint URL obsolete.

Auth Token

Additional Resources

For further information on enhancing your endpoint security, consider exploring the following guides. These resources provide valuable insights and best practices for securing your QuickNode endpoints.


Conclusion

In this guide, we learned how to set the Referrer Header correctly in HTTP requests to utilize QuickNode's referrer whitelisting feature, ensuring secure and authorized access to your endpoints.

Subscribe to our newsletter for more articles and guides on Ethereum. If you have any feedback, feel free to reach out to us via Twitter. You can always chat with us on our Discord community server, featuring some of the coolest developers you'll ever meet :)

We ❤️ Feedback!

Let us know if you have any feedback or requests for new topics. We'd love to hear from you.

Share this guide