How To Protect Your IPFS Gateways From Abuse
With Pinata Gateway Access Controls
When Pinata launched Dedicated Gateways in early 2021, it was a huge step forward for the entire web3 space. Most people and projects used public IPFS gateways at the time. These public gateways, including Pinata’s, were built as testing grounds, not production-worthy solutions. But there were only two alternatives to public gateways back then—run a local IPFS node + gateway on a computer in your home or office or deploy a hosted node and gateway to a cloud provider. Neither option was very attractive, and so projects defaulted to public gateway use.
Pinata’s Dedicated Gateways changed everything. Individual Pinata customers have now launched tens of thousands of Dedicated Gateways. These gateways have provided a level of scalability, reliability, and performance not previously accessible to most projects. However, they also exposed a challenge.
IPFS is inherently public. That means, by default, any content can be loaded through any gateway. Even if you have your own Dedicated Gateway through Pinata, it was possible for others to use your gateway to load content you may not want loaded through it. Our first pass at protections was called Restricted Gateways. All Dedicated Gateways were created as restricted, meaning only content the gateway owner had pinned through their Pinata account could load through the gateway would be served. Of course, there were plenty of use cases where customers needed to load content from the wider IPFS network (marketplaces, rarity tools, analytics providers, etc).
When a Dedicated Gateway was made open, that meant that any content on the IPFS network could be loaded through that gateway. As you can imagine, this provided a path to abuse. If someone’s gateway was discovered, malicious actors or freeloaders could use it to serve content that you, as the gateway owner, didn’t want served. We recognized this problem right away and got to work on a solution.
Today, we’re excited to announce that solution. We have launched Gateway Access Controls, now available to all users with a paid account.
Every new Dedicated Gateway created will continue to be restricted in that it will only serve content that the owner has pinned through their Pinata account. However, the big change now is that if you want to serve content from the wider IPFS network, you will need to add at least one security setting. You’ll have three options to choose from (and you’re welcome to use all three):
- Access Token: Restrict your gateway so that it only serves content if the designated access token is present as a header or a query string parameter.
- IP Address Restrictions: Add IP Addresses that are approved to access content through your gateway.
- Host Origin Restriction: Add host origin URLs that are approved to access content through your gateway.
To enable these restrictions, once you have beta access, simply click on the Developers tab at the top of your screen when logged into the Pinata app.
From there, you’ll see the Restrict Access tab where you can select your Dedicated Gateway from the left side of the screen and apply the restrictions of your choice.
It’s important to note that when you add a restriction, it opens your gateway up so that it can load content from the entire IPFS network but only if the restriction setting is met. This applies to both content that you have pinned and content across the network. If you try to load a file that you have pinned to your account and you have set an Access Token restriction, for example, the content will only load if you provide that access token along with the request.
This powerful new functionality will allow you to build incredible experiences without worrying about abuse. Your Dedicated Gateways can be protected while you build the next OpenSea, the next RarityTools, the next Instagram, or the next YouTube.
You can read more about how to use these restrictions in our documentation.
Now go build something amazing!
Ready to start building with Pinata? Click here to view our plans and get started today.