Reputation: 8156
Secure API (JSONP) which only checks for domains
I am building an API(PHP) which allows access only by domain names, how should I check the JSONP request origin?
And are there any security layers I could Implement? (I am not using keys currently*)
* = I want the users only to add the script tag, I don't want them to have to insert keys and get messed up - if you have any idea to make that happen and secure it I would be delighted to hear it.
Upvotes: 0
Views: 357
Answers (2)
Reputation: 943142
The best you are going to get is to:
Accept the request if the referer header is missing or set to a URL with a domain on your whitelist.
This will stop people effectively using your API client side on HTTP sites.
Some (relative small number of) users will have referers disabled. They will be able to use the API on any site that uses it (but since they are a minority, most sites won't want to depend on this as it will simply break for the majority of users).
It won't stop people running an HTTPS website and using the API - but their users will be warned about a mix of secure and insecure content, so this is also an unattractive option.
This won't stop people hitting your API server side, but you can combat that with IP based rate limiting.
Upvotes: 1
Reputation: 5696
There is no secure way of doing this, the origin can be spoofed...
Upvotes: 1
Related Questions
- How to detect ajax cross domain request in php
- JSON/JSONP/PHP Headache D:
- Cross domain access and JSONP
- Securing JSONP?
- Cross-domain JSON/PHP
- JSONP check header response
- Same Domain JSONP Security
- JSONP over HTTPS
- Get Domain Name That a JSONP Request is Coming From For Security
- API Security: how to restrict access by domain?