49

For example, check out this Facebook plugin.

In the client side the API key is clearly visible. What is stopping another user from obtaining this key and using this feature on a different site?

I figured a very naive implementation would be to check the domain the request comes from but things like this are easy to fake.

If I were to create something similar, how would I go about securing the authentication process?

I want as much of this work to be client side, though some form of server authentication will be required surely? Any links or advice would be greatly appreciated.

Update

Similar question about API keys that I found useful.

Community
  • 1
  • 1
Finglas
  • 15,518
  • 10
  • 56
  • 89
  • 1
    Have you looked at twitter's @anywhere? The API key is open, but they use other information /secret to test the data – Shaun Wilde Oct 21 '11 at 09:01

2 Answers2

13

In three words: server-side validation. FB itself will throw an error when you use a key that's incorrect for the given site. The API key is not supposed to be secret (as opposed to the secret key).

Piskvor left the building
  • 91,498
  • 46
  • 177
  • 222
  • I'm guessing in that case the api key will change for every single request right? – Finglas Oct 21 '11 at 09:01
  • @Finglas: No. Why should it? The API key identifies your application, and that is tied to a single domain; if you use it on another domain, the API key won't match when it's checked on FB via AJAX and the UI won't load. – Piskvor left the building Oct 21 '11 at 09:07
  • 5
    That's what I'm getting at. How can we trust the domain, if I registered site A, what's stopping me from making site B using the same key but bodging the headers prior to sending a request? – Finglas Oct 21 '11 at 09:12
  • @Finglas: How exactly do you bodge the headers? They are not sent by your server, but by the user's browser. – Piskvor left the building Oct 21 '11 at 09:45
  • 7
    Things such as Firebug/tamper data like tools etc... Despite this an API key sounds like it will do the job. An interesting question of the same topic can be found here http://stackoverflow.com/questions/2256305/how-does-google-maps-secure-their-api-key-how-to-make-something-similar – Finglas Oct 21 '11 at 09:48
  • @Finglas: Yes, I'm aware that HTTP is simple to modify in transfer, but that will only help you to pretend that a POST happened *from the legitimate domain*, accomplishing nothing for the new domain; furthermore, that will only help *you* - I posit that the other domain's users aren't interested in messing with their HTTP traffic. – Piskvor left the building Oct 21 '11 at 09:54
  • Fair enough. Thanks for the advice. You've pointed me in the right direction for what I need. – Finglas Oct 21 '11 at 10:00
  • @Piskvor Is there any validation mechanism you would recommend? – Bugs Aug 08 '17 at 07:24
  • @Bugs: This didn't exist when the question was written, and might be aimed at a different use-case, but see https://jwt.io/ – Piskvor left the building Mar 23 '18 at 12:01
3

I haven't done this myself, but I know that the kind of attack you are worried about is called Cross-site Request Forgery (CSRF). The Wikipedia article on that gives some hints on how to prevent it.

GregL
  • 37,147
  • 8
  • 62
  • 67
  • That should be the title of this question. `"How to prevent Cross-site Request Forgery?"` – mr5 Oct 30 '15 at 00:59
  • 5
    @mr5 If "Preventing CSRF" were the title, people like me who don't know the name wouldn't find the question – Eponymous Aug 06 '17 at 17:28
  • 1
    @Eponymous Well, you are correct! I can't remember why I wrote this stupid comment. Just ignore it. lol – mr5 Aug 06 '17 at 17:33