Secure access to api only from chrome extension

Question

I am working on allowing a chrome extension to post a new entry to my site via post data.

I want to be able to lock it down so only the chrome extension can post. If I get post data from anywhere else I want to reject it.

Does anyone know if/how this is possible or how you would go about doing it?

Answer 1

You can add a simple check in the code.

Following code stops anyone who is trying to access your api outside the chrome extension.

if(substr($_SERVER['HTTP_ORIGIN'],0,19) !== "chrome-extension://") die("Not Allowed")

Answer 2

Unfortunately, validating clients (whether a Chrome extension, an Android app, an iOS app, client-side JavaScript, or some other client) from a web server is an unsolved problem.

There are some things that you can do to deter abuse and mitigate this problem such as:

• Requiring user authentication (and rate-limiting usage per-user)
• Rate-limiting access on the basis of IP addresses
• Requiring tokens to be provided that are handed out in prior requests (this can be used to ensure that certain APIs are called in certain expected orders / patterns).
• Showing a CAPTCHA or other challenge for anomolous or over-limit usage

While you can additionally check things such as user agent, referrer URL, or a token that you embed in the Chrome extension, with any distributed application, it is easy to reverse-engineer these and mimick them in a counterfeit app, and so these aren't true solutions.