I am interested to know how an URL-based api key restriction works, such as the one used by Google to protect its Google Maps service.
From what I understand from this article “Restricting Access to Ajax Services,” there are two parts involved: first where the service creates a specific key for a given domain, using a one-way hash function; and second where the service validates the key based on the Referer header.
While the article is quite explanatory, I still have a problem trying to understand how safe is the validation method. I mean, if the key is checked only against the referer, isn’t this quite easy to forge? I am thinking that a simple “127.0.0.1 http://www.mydomain.com” in the hosts file will be enough to trick the validation, and think that the referer is http://www.mydomain.com .
I might have misunderstood some things and a few clarifications will be appreciated.
The “Limitations” section of the article you cite specifically mentions the possibility of spoofing the referrer.
Changing the host file might indeed be enough to forge your referrer, but only when you’re accessing the site from your own computer. That means you can abuse the license only when testing locally. That’s not very interesting abuse.
In order to publish your app, you’d need to spoof the referrer on everyone’s browsers, unless you’re using the API from a locally run executable, in which case you’re probably in full control of all the headers.