-1

Is there any way to validate that a request to my API is coming from a specific domain without the risk of someone tampering with it?

For instance, if I get a request to:

http://www.mydomain.com/api?request=something&key=12345

I can check to be sure that the API key 12345 has been assigned to a user before returning the results. However, I would like to confine that API key 12345 to a specific domain so that only a person from theirdomain.com would be able to send API requests using the key 12345.

I'm not asking how to program that part, I know that. I'm just asking if there's any way to do so (or any other ideas you may have) aside from using $_SERVER['HTTP_REFERER'] (something more secure)?

MultiDev
  • 10,389
  • 24
  • 81
  • 148
  • don't bother with HTTP_REFERER its browser set totally fakeabel –  Jul 22 '14 at 20:52
  • 1
    Impossibru. Although... you can always make a request back on the domain on the specific URL. Think about how oauth works – PeeHaa Jul 22 '14 at 20:53
  • .. or most of the credict card gateways - you say *hi* to them then they send back to the domain they know about. –  Jul 22 '14 at 20:56
  • Generate a temporary session token based on the ip address – Ke Vin Jul 22 '14 at 20:57
  • possible duplicate of [API Security: how to restrict access by domain?](http://stackoverflow.com/questions/6171069/api-security-how-to-restrict-access-by-domain) – IMSoP Jul 22 '14 at 21:28

1 Answers1

0

There is nothing built into HTTP that allows you to detect the "context" of a request, apart from voluntary (and therefore trivially spoofable) information from the client, such as the Referer header.

If this is a server-to-server API (rather than something which will be requested directly by a user's browser), you could check the source IP address, using $_SERVER['REMOTE_ADDR']. This is much trickier to fake, particularly if you're whitelisting rather than blacklisting IPs. (It's easy to find another IP, to avoid a blacklist, but near-impossible to choose your IP, to avoid a whitelist).

This is often used in e-commerce and e-payment APIs, where the owner of an account provides a list of IP addresses on setup, or in a customer control panel, to make it harder for third parties to use a stolen username and password.

IMSoP
  • 89,526
  • 13
  • 117
  • 169
  • 1
    name an credit card gateway that gives a fig about ip addresses?? –  Jul 22 '14 at 20:58
  • @Dagon WorldPay, for one; I'm not sure about SecureTrading and DataCash, it's a while since I've logged into their control panels, but I wouldn't be surprised. I'm talking pure server-side APIs, here, not in-browser redirections. – IMSoP Jul 22 '14 at 21:00
  • Other than disbelief that I'm telling the truth about payment gateways running IP whitelists, anyone care to explain why they downvoted this? Is the feeling that I've jumped to too much of an assumption in switching from referring domain to address of connecting client? – IMSoP Jul 23 '14 at 23:09