How about to protect API request if sending from server?

my usecase is to send node api from server side, where is located in serverless typed cloud.
so I use Require project secret for all requests.

problem is that the basic authentication is immediately hacked and used by unknown users.
(confirm by stats)

my questions are below.

  1. Are there any plans to add API authentication methods other than basic authentication?
  2. What of params does the domain of whitelist check? (because the API fail if it whitelist the custom domain I apply to serverless)

after all, what is the best way for such use case?

Hi teatwo, welcome to the Infura Community!

Want to make sure I understand your issue, are you enabling the Project Secret required setting and still seeing traffic coming from other sources?

Thank you for reply.

Yes, I have enabled the Project Secret required setting, and see unknown traffic.

I noticed the strange stats.
I have created another PJ for use from client. this PJ is protected by origin whitelist.
if I send some requests(and get correct response), statistics are not recorded.
the oldest request is a few days ago, but it is still 0 for the total duration of the PJ.

There is a bit of a delay between your requests being made and appearing in the dashboard stats page. Are your requests getting successful response? Is the new project receiving requests that do not seem to be coming from you?

Are your requests getting successful response?

Yes. My web3 call provided by infura return response. though can’t confirm it in network tab of browser.

Is the new project receiving requests that do not seem to be coming from you?

No. total 0.

note detail of 2PJ.

existing PJ

  • truffle hard wallet provider
  • web3js
  • request from cloud
  • protected by basic authentication via secret key
  • many unknown transactions stats

new PJ

  • metamask
  • web3js
  • request from browser
  • protected by whitelist of origins
  • total 0 stats.