0

I'm using PHP and json to make an API and I would like to limit the access for it. The most user-friendly way to do this (in my opinion), would be an APIKey for each user. What I'd like to do is check who's using/requesting the json, and then I could check the site toward the key (I know how to do the last part). (The key will be appended to site url ?key=KEY)

I have tried

$_SERVER['HTTP_REFERER'];

But apparently this would only show the last site if you're redirected to my site.

I hope this wasn't TOO subjective, and I don't really know how to explain this in any other ways. Hopefully someone could understand what I'm trying to do and maybe got a better solution? I'm kinda new to making API's atleast limited ones. Thanks!

user2208142
  • 23
  • 3

1 Answers1

0

The referrer is set by web browsers to give you the last page the user browsed before getting to your site. If you authenticate a site by using an API key, and this site embed the API key in their JS code so that visitors can access your API directly, rate-limiting by using both API keys and referrer will allow attackers to DOS your API until a specific site has been rate-limited (because the attacker know the API key, and the referrer can easily be spoofed).

  • Doesn't matter if anyone know the apikey or not, because the DB will check wether the page using the key is the same as in the table. Do you know a safe way to get the site using the json? – user2208142 Mar 30 '14 at 15:06
  • If a third-party site is using you API and sending requests from their server-side code, you can check the IP the request came from. It the users of that third-party site will query your API directly, there's no way to check what site they used if from (other than checking which API key they used). –  Mar 30 '14 at 15:25
  • I would like the IP from the request, yes. Some sites will have access (trusted sites), users from these sites won't be able to query from their site. – user2208142 Mar 30 '14 at 15:31