2

I'm creating a REST API, so basically one api key only valid for one domain,

example : api_key 0kjs9s9s9 only valid for mysite.com

this is for security purpose, so 0kjs9s9s9 only will be able to accessed from mysite.com.

So the question, how to get the domain name who access the page ? when i print, print_r($_SERVER), i only get one information about who are request the page, 'REMOTE_ADDR', and it's an IP. after reading from some place, i find, that i can use gethostbyaddr($_SERVER['REMOTE_ADDR']) but i'm not sure it's the right way. please any body give me and example code for this issue.

How if mysite.com is running under proxy and load balancer farm ? which IP i will get ? the proxy or the domain ?

Is some one can send request with fake domain ?

Thanks in advance

Ahmad
  • 4,224
  • 8
  • 29
  • 40
  • When talking about domains, it seems you're talking about scripting in a browser? If so, then I think you can only do this by relying on some JavaScript trickery, and even then it could be faked using server side calls. See my answer at [REST authentication and exposing the API key](http://stackoverflow.com/questions/5472668/rest-authentication-and-exposing-the-api-key/13891103#13891103). For server side requests you'd need to ask the user of the API key from which server IP address the API will be used. – Arjan Dec 16 '12 at 14:56

1 Answers1

1

The remote IP will not necessarily even resolve. Proxies and NAT devices will probably display their own IP address; the originating device may well not have a public IP address if its own.

tripleee
  • 175,061
  • 34
  • 275
  • 318