Похожие чаты

TLDR : i'm building a third party api and i

want to be sure when a request comes from a domain(client side of that domain) , the request is actually from that domain and not faked.

hello , in systems like google ad sense in which the scenario is an advertisor registers an "ad" and people can come and register their applications or websites so they can load the appropriate "ad" and earn some money.
typically an api key is given to the app owner so they can use it in their application , i'm building a similar system to google ads in which people use my api to load some stuff in their application. but the thing is , api key will be used in "client side" meaning in browser of users of the "app owner's application". so it can be easily leaked or even worse , the app owner itself spam the api key with a script or something.
so in my server , when a request comes , how can i make sure that this request is coming from domain "example.com" that is registered in my database and that api key was built for ? as far as i know i can't just rely on http headers since they can easily be manipulated !
at first i thought tls takes care of but gpt said otherwise

4 ответов

26 просмотров

fixed IP address?

mohammad- Автор вопроса
Roman Sharkov
fixed IP address?

nope , since the api key will be used in browser (users of my customers) , the ip will vary

mohammad
nope , since the api key will be used in browser (...

then it's not a "domain" the request is coming from. I thought your clients are servers of other people. But in that case - there's no way.

AdSense does not have a protection against the scenario you describe either, they just rely on the headers of clients, and clients can see AdSense API keys

Похожие вопросы

Обсуждают сегодня

а через ESC-код ?
Alexey Kulakov
29
30500 за редактор? )
Владимир
47
Чёт не понял, я ж правильной функцией воспользовался чтобы вывести отладочную информацию? но что-то она не ловится
notme
18
any reference of this implementation?
BitBuddha
29
У меня есть функция где происходит это: write_bit(buffer, 1); write_bit(buffer, 0); write_bit(buffer, 1); write_bit(buffer, 1); write_bit(buffer, 1); w...
~
13
Hi guys, any problem with Pulsebrige? Trying to transfer from wETH to ETH. First it tells me to connect my metamask "through mobile app" not desktop. Then I did and confirmed ...
Snowflakecrypto
11
Ⓐrtto, [4/23/24 7:02 PM] Please explain more fully how it is not working exactly, and what are the steps you are taking, and what error messages come or what happens. Ⓐrtto, ...
Ezza Kezza
2
sounds like people have lost their kaspa on tradeogre... does this mean tradeogre not trustworthy?
Ezza Kezza
15
Привет)) уже кажется эту тему перемусолили, но вот я так и не понял. Я сейчас сижу на 27дюймов 2к мониторе. На Актуальной макоси, если я куплю 27д 4к монитор: - будет ли изобр...
Vladislav Piskunov
11
Страшнейшая правда про списки ЦБ. С первых дней жизни P2P сферы, молодые человеки, начитавшись законодательной базы и "внутренних" документов, решили, что им противостоит сер...
Foxcool
3
Карта сайта