Only allowing certain websites access PHP API

Question

I am currently facing the problem of securing up an API my clients use on their websites. However because this API is called by JavaScript I'm finding it hard to figure out a way to only allow these access the API/URL's.

So how would I go about this? How would I only allow access to these links. Obviously the links could be compromised but I would like to have a way to deny the script from operating if it hasn't come from an verified site. ATM all I can think of using is the Referrer header which as we all know, can be faked. Is there a way I can trace the source of the request? If so, how? Because then I could just check the source of the request and if it isn't an allowed source then just issue a 403 Forbidden.

Thanks. If you need any more information please feel free to ask!

Answer 1

Set up a whitelist on your server... I have no details on your server so I can't really elaborate much.

If you were using a node server you could have an array of trusted domains and send an error if the domain requesting your api isn't included. If you are reverse proxying to a node server or using some other language, you could also do something to a similar extent in apache/nginx/whatever you are using.

Answer 2

Personally I would build a database table which listed the urls that you want to allow and also a unique key for each of them something like

url = http://stackoverflow.com

key = 9fc4c60c2f6b9aaba3a640e5e4b9bc4d

Then use basic auth to authenticate your calls and check the auth headers to match both the url and the key of every access.

This obviously depends on how you have built your API but as a tip Slim PHP Framework is a great tool and has a really nice basic auth middleware

The other way is to have a php file which holds an array of all of your allowed sites and then check through this array for each call.