 |  |  |  |  |  |  |  |
URL-Based API Key Restriction: How does validation works?
Please support our RSS, Web Services and SOAP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
Hi,
I don't know if this is the right area to post this, but it seems to be related.
I am interested to know how an URL-based api key restriction works, such as the one used by Google to protect its Google Maps service.
From what I understand from this article http://java.sun.com/developer/techni...pikeys/#urlres , there are two parts involved: first where the service creates a specific key for a given domain, using a one-way hash function; and second where the service validates the key based on the Referer header.
While the article is quite explanatory, I still have a problem trying to understand how safe is the validation method. I mean, if the key is checked only against the referer, isn't this quite easy to forge? I am thinking that a simple "127.0.0.1 www.mydomain.com" in the hosts file will be enough to trick the validation, and think that the referer is www.mydomain.com .
I might have misunderstood some things and a few clarifications will be appreciated.
Thank you for your time,
Standardt.
I don't know if this is the right area to post this, but it seems to be related.
I am interested to know how an URL-based api key restriction works, such as the one used by Google to protect its Google Maps service.
From what I understand from this article http://java.sun.com/developer/techni...pikeys/#urlres , there are two parts involved: first where the service creates a specific key for a given domain, using a one-way hash function; and second where the service validates the key based on the Referer header.
While the article is quite explanatory, I still have a problem trying to understand how safe is the validation method. I mean, if the key is checked only against the referer, isn't this quite easy to forge? I am thinking that a simple "127.0.0.1 www.mydomain.com" in the hosts file will be enough to trick the validation, and think that the referer is www.mydomain.com .
I might have misunderstood some things and a few clarifications will be appreciated.
Thank you for your time,
Standardt.
Standard Blue.
|
Similar Threads
- Google Maps HELP please. (JavaScript / DHTML / AJAX)
- Why javascript does not work on firefox? (JavaScript / DHTML / AJAX)
- sdl color key, don't understand (Game Development)
- GUIs with c++ (C++)
- C++ GUI (Graphical User Interface) for beginners (C++)
- What is all this about MP3 USB Keys ? (USB Devices and other Peripherals)
- Google API (Search Engine Optimization)
- Windows Api Tutorial (C++)
- IE Cache not deleting a URL (Web Browsers)
Other Threads in the RSS, Web Services and SOAP Forum
- Previous Thread: Problem sending the SOAP request message to weblogic session web service
- Next Thread: I need a description about RSS
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest RSS, Web Services and SOAP Posts
- Today's Posts
- Unanswered Threads
.htaccess 301 accept access alltop api authentication binarysecuritytoken blog card collaboration credit data development ebay email evernote flash google government highrise htaccess intel internet legal live patent paypal php podcast proxy redirect rss rssfeeds searchmonkey server service soap software swappingxmlfromflash swappingxmlnodes url web webservices webservicesecurity wiki wikipedia xml xslt y!os yahoo ydn