0

I am building an API(PHP) which allows access only by domain names, how should I check the JSONP request origin?
And are there any security layers I could Implement? (I am not using keys currently*)


* = I want the users only to add the script tag, I don't want them to have to insert keys and get messed up - if you have any idea to make that happen and secure it I would be delighted to hear it.

funerr
  • 7,212
  • 14
  • 81
  • 129

2 Answers2

1

There is no secure way of doing this, the origin can be spoofed...

Manatok
  • 5,506
  • 3
  • 23
  • 32
  • If I would be suing CORS and making a huge list of allowed origins, would it make it more secure? – funerr Jul 10 '12 at 12:39
  • @agam360 - No, the point of JSONP is to completely bypass the same origin policy. CORS opens a narrow channel through it (which is pointless if you are walking around it completely). – Quentin Jul 10 '12 at 12:45
  • Don't ever use the Origin Header as a means of validation, this can always be changed. IP rules on the server side or API key with usage limits are probably your best bet – Manatok Jul 10 '12 at 12:49
1

The best you are going to get is to:

Accept the request if the referer header is missing or set to a URL with a domain on your whitelist.

This will stop people effectively using your API client side on HTTP sites.

Some (relative small number of) users will have referers disabled. They will be able to use the API on any site that uses it (but since they are a minority, most sites won't want to depend on this as it will simply break for the majority of users).

It won't stop people running an HTTPS website and using the API - but their users will be warned about a mix of secure and insecure content, so this is also an unattractive option.

This won't stop people hitting your API server side, but you can combat that with IP based rate limiting.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Thanks for the response. So I'll try to sum up what you said (correct me if I am mistaken): check for the Referrer (I can send the url from the client side with document.URL to be sure I have some data), then check for over-use of the api from one ip and block him (if it happens). You also mentioned that https sites will get a notification, what should I do in order to fix that(notification)? – funerr Jul 10 '12 at 14:09
  • If you write JS to send the URI of the page that has loaded the JS, then it can be modified by the page author and spoofed. I recommend using the referer header which the browser sets. – Quentin Jul 10 '12 at 14:11
  • Yes, use rate limiting by checking the number of requests from a given URI in a given time period. – Quentin Jul 10 '12 at 14:11
  • If you want to allow sites to use your API from HTTPS URI, then you must provide a copy of your API through an HTTPS URI of your own (so that all the content for the page is loaded over HTTP). Browsers don't send referers for HTTPS though, so this will prevent you catching people using your API from their HTTPS sites using the referer technique. – Quentin Jul 10 '12 at 14:13
  • I know that people can easily spoof the data in javascript, but I could verify that at least if no data comes from the header. – funerr Jul 10 '12 at 14:15
  • Can't you also easily spoof HTTP REFERER HEADER which the browser set? – zechdc Jul 27 '12 at 20:33
  • @zechdc — Not in this case since Alice's browser, accessing Bob's API while visiting Malory's site couldn't be told by Malory's site to spoof the referer. That would require Alice (innocent user of Malory's site) to spoof it herself. – Quentin Jul 28 '12 at 23:06
  • Alice could spoof the REFERER to Bob's API if the api is being accessed client side by Malory's site. The transaction could be intercepted by Alice and the referer could be changed. Or Alice could steal the API key from the code since its being accessed client side.. then make whatever calls she wants to the api. Or am I still missing something? Actually, please take a look at my question. I thought it was asking something very similar, correct me if I'm wrong please. http://stackoverflow.com/questions/11694443/how-do-i-secure-an-api-by-only-allowing-trusted-domains – zechdc Jul 31 '12 at 15:17
  • @zechdc — The goal is to stop Malory making use of Bob's API on her site. If Alice visit's Malory's site, then it won't work unless Alice takes special steps to work around Bob's security. Most users would find it too complicated and/or wonder why Malory needed them to jump through those hoops. Consequently Malory would loose most of her visitors as the site wouldn't work for them. – Quentin Jul 31 '12 at 15:36
  • @Quentin -- Ok, that makes sense for that use case. Thanks for taking the time to explain it :) – zechdc Jul 31 '12 at 15:43