For one of my project, I needed to host an API service on the RapidAPI platform. In order to make sure that all the requests to the application are routed via RapidAPI I needed to check special header sent by RapidAPI.
RapidAPI forwards each valid request to the configured server, but injects
X-RapidAPI-Proxy-Secret. While a hacker may also send the
same header, the value of this header will be only known to RapidAPI platform
and your app.
I deployed the server on heroku, and defined an environment variable
PROXY_SECRET which I check against the one sent with the request.
Sometimes I need to test the server directly, in which case I simply do not set this variable (like on my local machine) and this check is bypassed.