Google Appengine URL security

Question

Is it possible to ensure that GET/POST requests to a particular url of my Appengine app, AJAX or not, can only be made from within the app and not from outside (ie) all requests from other domains have to be rejected.

Possible?

Answer 1

Requests made from your app (by the queue, etc) are automatically admin, so you can require that requests are made by admin. Simply add the following to your app.yaml:

- url: /whatever_url_you_want_protected
  script: your_app.py
  login: admin

also a good idea to add the following skip files to the bottom of your app.yaml:

skip_files: |
 ^(.*/)?(
 (app\.yaml)|
 (app\.yml)|
 (index\.yaml)|
 (index\.yml)|
 (#.*#)|
 (.*~)|
 (.*\.py[co])|
 (.*/RCS/.*)|
 (\..*)|
 (tests/.*)
 )$

This works for get/post, ajax, any type of request.

Answer 2

Requests do not come from within the app or from another domain. They come from a computer, by means of a browser, a crawler, a script or any program really. This means that your question is not specific to google app engine but to web programming in general. A fragile approach would be to rely on the HTTP_REFERRER, but I do not recommend that. You should make sure that your users log in, and only display critical information to users you know who are.

Answer 3

In addition to what @klausbyskov said, you should look at the various protection mechanisms against Cross-Site Request Forgery (CSRF).