I am building an API(PHP) which allows access only by domain names, how should I check the JSONP request origin?
And are there any security layers I could Implement? (I am not using keys currently*)
* = I want the users only to add the script tag, I don't want them to have to insert keys and get messed up - if you have any idea to make that happen and secure it I would be delighted to hear it.
分享 The best you are going to get is to:
Accept the request if the referer header is missing or set to a URL with a domain on your whitelist.
This will stop people effectively using your API client side on HTTP sites.
Some (relative small number of) users will have referers disabled. They will be able to use the API on any site that uses it (but since they are a minority, most sites won't want to depend on this as it will simply break for the majority of users).
It won't stop people running an HTTPS website and using the API - but their users will be warned about a mix of secure and insecure content, so this is also an unattractive option.
This won't stop people hitting your API server side, but you can combat that with IP based rate limiting.
分享
