API key sent with URL

Page 1 of 1 (8 items)
This post has 7 Replies | 1 Follower

Posts 687
Jon | Forum Activity | Posted: Wed, Mar 31 2010 7:21 AM

If the API key is sent in the URL can't anyone "steal" it?

Posts 71
Brian Huddleston | Forum Activity | Replied: Wed, Mar 31 2010 8:36 AM

Typically an API for a web service would be in the code-behind section of a web page or application.  If it is run on the server, the end-user will never know that a call has been made to an external site. Developing desktop apps that access web services would require some additional security precautions where you would possibly want to create your own web service that stands between the desktop app and the Biblia API to ensure that the API key is kept secure from packet sniffers.  It is really up to the developer to ensure that the key is kept secure and not viewable by their end users.

Wylie, TX

Posts 12956
Forum MVP
Mark Barnes | Forum Activity | Replied: Wed, Mar 31 2010 9:25 AM

But if the format is JSON that presumes Logos are primarily anticipating Javascript use, doesn't it?

Posts 408
LogosEmployee
Bryan Smith | Forum Activity | Replied: Wed, Mar 31 2010 9:30 AM

When using the API from javascript the URL that you gave us when you registered will be checked against the HTTP referrer. If they don't match the request will be denied, so the key won't work on other sites.

Posts 71
Brian Huddleston | Forum Activity | Replied: Wed, Mar 31 2010 9:51 AM

Mark Barnes:

But if the format is JSON that presumes Logos are primarily anticipating Javascript use, doesn't it?

Mark,

I was thinking about the XML and server side of things as I don't have any experience with JSON and limited JS experience.  Your comment defintely got me to thinking about security from that perspective.  Bryan's post about the referrer shows that the key won't be all that useful, but it would still be exposed.  It's going to take me a while to make the mental shift from server-side to client-side.  I'm hoping to experiment with it some next week and use it to brush up on my JS skills.

Wylie, TX

Posts 138
Sean Boisen | Forum Activity | Replied: Fri, Apr 2 2010 11:59 AM

Bryan Smith:
If they don't match the request will be denied, so the key won't work on other sites.

Does "match" here mean any page whose base is the supplied URL? 

For example, if i'm coding an app that i'm going to host at semanticbible.com, is that a sufficient URL, or i do i need to more specifically say (for example) http://semanticbible.com/cgi/holyweek/ ?

Posts 408
LogosEmployee
Bryan Smith | Forum Activity | Replied: Sun, Apr 4 2010 10:29 PM

Yes, the hostname must match, and the path must start with the path of the URL you registered.

 

Registering http://semanticbible.com will let you use that API key anywhere under that domain. Registering http://semanticbible.com/cgi/holyweek will only allow you to use that API key on pages under /cgi/holyweek on semanticbible.com

Posts 41
Paul Davey | Forum Activity | Replied: Sat, Apr 10 2010 10:04 PM

You can't rely on HTTP_REFERRER - it is up to the browser what is sent (it can be faked quite easily), and some internet security software blanks it out.  Is the service accesible via https?  If so, that would eliminate packet sniffing.

Page 1 of 1 (8 items) | RSS