DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   RSS, Web Services and SOAP (http://www.daniweb.com/forums/forum151.html)
-   -   URL-Based API Key Restriction: How does validation works? (http://www.daniweb.com/forums/thread198822.html)

standardt Jun 21st, 2009 8:16 am
URL-Based API Key Restriction: How does validation works?
 
Hi,

I don't know if this is the right area to post this, but it seems to be related.

I am interested to know how an URL-based api key restriction works, such as the one used by Google to protect its Google Maps service.

From what I understand from this article http://java.sun.com/developer/techni...pikeys/#urlres , there are two parts involved: first where the service creates a specific key for a given domain, using a one-way hash function; and second where the service validates the key based on the Referer header.

While the article is quite explanatory, I still have a problem trying to understand how safe is the validation method. I mean, if the key is checked only against the referer, isn't this quite easy to forge? I am thinking that a simple "127.0.0.1 www.mydomain.com" in the hosts file will be enough to trick the validation, and think that the referer is www.mydomain.com .

I might have misunderstood some things and a few clarifications will be appreciated.


Thank you for your time,
Standardt.


All times are GMT -4. The time now is 2:44 am.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC