Django - How to protect web service url - API KEY

Question

I use geodjango to create and serve map tiles that I usually display into OpenLayers as openLayers.Layer.TMS

I am worried that anybody could grab the web service URL and plug it into their own map without asking permission, and then consume a lot of the server's CPU and violate private data ownership. On the other hand, I want the tile service to be publicly available without login, but from my website only.

Am I right to think that such violation is possible? If yes, what would be the way to be protected from it? Is it possible to hide the url in the client browser?

Edit: The way you initiate tile map service in OpenLayers is through javascript that could be read from client browser like this:

    tiledLayer = new OpenLayers.Layer.TMS('TMS',
                "{{ tmsURL }}1.0/{{ shapefile.id }}/${z}/${x}/${y}.png"
                        );

Its really easy to copy/paste this into another website and have access to the web service data.

How can I add an API Key in the url and manage to regenerate it regularly?

Answer 1

There's a great answer on RESTful Authentication that can really help you out. These principals can be adapted and implemented in django as well.

The other thing you can do is take it one level higher than implementing this in django but use your webserver.

For example I use the following in my nginx + uwsgi + django setup:

# the ip address of my front end web app (calling my Rest API) is 192.168.1.100. 

server {
    listen            :80;
    server_name       my_api;

    # allow only my subnet IP address - but can also do ranges e.g. 192.168.1.100/16
    allow             192.168.1.100;
    # deny everyone else
    deny              all;

    location / {
    # pass to uwsgi stuff here...
    }
}

This way, even if they got the URL, nginx would cut them off before it even reached your application (potentially saving you some resources...??).

You can read more about HTTP Access in the nginx documentation.

It's also worth noting that you can do this in Apache too - I just prefer the setup listed above.

Answer 2

This may not answer your question, but there's no way to hide a web request in the browser. To normal users, seeing the actual request will be very hard, but for network/computer savvy users, (normally programmer who will want to take advantage of your API) doing some sniffing and finally seeing/using your web request may be very easy.

This you're trying to do is called security through obscurity and normally is not very recommended. You'll have to create a stronger authentication mechanism if you want your API to be completely secure from non authorized users.

Good luck!