want to be sure when a request comes from a domain(client side of that domain) , the request is actually from that domain and not faked.
hello , in systems like google ad sense in which the scenario is an advertisor registers an "ad" and people can come and register their applications or websites so they can load the appropriate "ad" and earn some money.
typically an api key is given to the app owner so they can use it in their application , i'm building a similar system to google ads in which people use my api to load some stuff in their application. but the thing is , api key will be used in "client side" meaning in browser of users of the "app owner's application". so it can be easily leaked or even worse , the app owner itself spam the api key with a script or something.
so in my server , when a request comes , how can i make sure that this request is coming from domain "example.com" that is registered in my database and that api key was built for ? as far as i know i can't just rely on http headers since they can easily be manipulated !
at first i thought tls takes care of but gpt said otherwise
fixed IP address?
nope , since the api key will be used in browser (users of my customers) , the ip will vary
then it's not a "domain" the request is coming from. I thought your clients are servers of other people. But in that case - there's no way.
AdSense does not have a protection against the scenario you describe either, they just rely on the headers of clients, and clients can see AdSense API keys
Обсуждают сегодня