3

My Application provides an API Key and Javascript code to put on their site (similar to google anayytics code).

All the calls in the API use JSONP to communicate with our server.

Since the API key is sensitive, we have our users coming back and asking to provide a whitelisting option for the domain. This is similar to Linkedin, Facebook, Twitter and Google.

Should I be using referrer option to restrict the domain? But a rogue can always manually add this using normal http api and gain access.

Is it a good idea to encrypt (or hash?) and send the window.location within the API and compare that at the server side.

Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179
cloudpre
  • 1,001
  • 2
  • 15
  • 28
  • Can you use CORS instead of JSONP? Would be significantly easier to have reliable source domain. Also do you need protection from automated scripts (like console application) or just pages in browsers rendered from other domains? – Alexei Levenkov May 26 '14 at 06:35
  • CORS seems a good alternative. We can use POST, PUT like the normal data. Before we rewrite our enter API, is this how Facebook,Twitter and Google use too? – cloudpre May 26 '14 at 07:16
  • 1
    No, but they have different requirements. Most of them use authenticated requests with OAuth2 - rogue site will simply not get back token during authentication, so site will not be able to call the service. I'm not sure what your requirements are, but reading on how other sites are protecting they API may be good start (each of mentioned sites have documentation on how services should be called). – Alexei Levenkov May 26 '14 at 07:32
  • Google javascript doesn't use oauth for their client API. they ask for domains which need to be whitelisted. we are looking for same approach. We use oauth too but for login to the app and not for Widgets. thanks. – cloudpre May 26 '14 at 17:38

0 Answers0