Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am building an API(PHP) which allows access only by domain names, how should I check the JSONP request origin?
And are there any security layers I could Implement? (I am not using keys currently*)
* = I want the users only to add the script tag, I don’t want them to have to insert keys and get messed up – if you have any idea to make that happen and secure it I would be delighted to hear it.
The best you are going to get is to:
Accept the request if the
refererheader is missing or set to a URL with a domain on your whitelist.This will stop people effectively using your API client side on HTTP sites.
Some (relative small number of) users will have referers disabled. They will be able to use the API on any site that uses it (but since they are a minority, most sites won’t want to depend on this as it will simply break for the majority of users).
It won’t stop people running an HTTPS website and using the API – but their users will be warned about a mix of secure and insecure content, so this is also an unattractive option.
This won’t stop people hitting your API server side, but you can combat that with IP based rate limiting.