I use some of Azure's Cognitive Services via JavaScript on my website. How can I avoid that anybody grabs the key and uses up my quotas? Other API providers I've worked with allow the user to limit the key to certain domains but I just can't find such a setting in the Azure backend.
Asked
Active
Viewed 125 times
2
-
1I couldn't find anything either... I suppose you might need to consider having your JS call a 'relay server' that you own, where the server itself contains the cognitive key and not the client. – Porschiey Jul 13 '17 at 16:25
-
1As @Porschiey said if you want to use a relay server a nice fit in Azure is its APIM PAAS service (API Gateway) where you can configure rate limits and domain restrictions and configure the key and invoke cognitive services. – Gopi Kolla Jul 13 '17 at 20:46
-
2In the meantime I contacted Microsoft's support. They say limiting the keys to domains (as Google or Twitter do) doesn't make sense because you can fake the `HOST` header. At least that would make stealing a bit more difficult, though. As far as I can see there is no way to protect the keys in the frontend, so there's no way around a server-side proxy. – wortwart Jul 14 '17 at 08:28
1 Answers
0
How can I avoid that anybody grabs the key and uses up my quotas?
Open door: Don't put your key in a plain text readable file. Whatever JavaScript trickery you want to use, the code is available. So the key is out there.
Obvious answer: Keep the key server-side and solve it this way. Yes, it's an extra trip. But you can beef up the filtering of requests a lot more. Like you said, you could fake a host. So use this to make sure nobody is using up your quota.
"I still want it clientside" then Steven Legett has some ideas for you. USE HTTPS!
Martin van Delft
- 447
- 2
- 8