0

I'm trying to wrap my head around Google App Engine and more specifically at the Tasks.

My question is about security, if I define a queue like :

- url: /queues/long-task
  script: urlhandlers.QueueLongTask.app
  login: admin

Will I be sure that the /queues/long-task can only be accessed by admin AND task system ? I was not able to find a reference about this in the Google documentation.

Thank you in advance

Cyril N.
  • 38,875
  • 36
  • 142
  • 243

1 Answers1

3

You are correct, login: admin takes care of it.

Here you can find more info on the documentation: https://cloud.google.com/appengine/docs/python/taskqueue/overview-push#Python_Securing_URLs_for_tasks

You can also use the headers like X-AppEngine-QueueName if you want to do specific things only when this is called from a task:

"These headers are set internally by Google App Engine. If your request handler finds any of these headers, it can trust that the request is a Task Queue request. If any of the above headers are present in an external user request to your app, they are stripped."

Zebs
  • 5,378
  • 2
  • 35
  • 49
  • Thank you for the precision, but the part about the header is bothering me : As a client, I can add any headers to my request, including for example `X-AppEngine-QueueName`. Does GAE prevent a client to add this header ? – Cyril N. Apr 06 '16 at 16:10
  • You could add them, but app engine will strip them: "If any of the above headers are present in an external user request to your app, they are stripped." – Zebs Apr 06 '16 at 20:47