I see some requests in the logs coming from unknown sources.
So how I could prevent all requests except the ones coming from my appspot domain?
Note: This is on appengine, which there is no server from my end to manage, you just upload your app code and they take care of the rest.
Having control over access to your App Engine app, I recommend that you set up firewall(s) and apply rules and priority to structure it as an ordered list. You could allow only traffic from a specific service by creating firewall rules to deny all requests except those that are forwarded from your specific service.
You could make use of the request header X-Appengine-Inbound-Appid to identify the App Engine app that is making a request to your App Engine app. URLFetch service adds the unmodifiable header to the request, so that you can obtain the application’s ID safely.
