Hi,

I don't know if this is the right area to post this, but it seems to be related.

I am interested to know how an URL-based api key restriction works, such as the one used by Google to protect its Google Maps service.

From what I understand from this article http://java.sun.com/developer/techni...pikeys/#urlres , there are two parts involved: first where the service creates a specific key for a given domain, using a one-way hash function; and second where the service validates the key based on the Referer header.

While the article is quite explanatory, I still have a problem trying to understand how safe is the validation method. I mean, if the key is checked only against the referer, isn't this quite easy to forge? I am thinking that a simple "127.0.0.1 www.mydomain.com" in the hosts file will be enough to trick the validation, and think that the referer is www.mydomain.com .

I might have misunderstood some things and a few clarifications will be appreciated.


Thank you for your time,
Standardt.