If the API key is sent in the URL can't anyone "steal" it?
Typically an API for a web service would be in the code-behind section of a web page or application. If it is run on the server, the end-user will never know that a call has been made to an external site. Developing desktop apps that access web services would require some additional security precautions where you would possibly want to create your own web service that stands between the desktop app and the Biblia API to ensure that the API key is kept secure from packet sniffers. It is really up to the developer to ensure that the key is kept secure and not viewable by their end users.
But if the format is JSON that presumes Logos are primarily anticipating Javascript use, doesn't it?
When using the API from javascript the URL that you gave us when you registered will be checked against the HTTP referrer. If they don't match the request will be denied, so the key won't work on other sites.
Mark,
I was thinking about the XML and server side of things as I don't have any experience with JSON and limited JS experience. Your comment defintely got me to thinking about security from that perspective. Bryan's post about the referrer shows that the key won't be all that useful, but it would still be exposed. It's going to take me a while to make the mental shift from server-side to client-side. I'm hoping to experiment with it some next week and use it to brush up on my JS skills.
If they don't match the request will be denied, so the key won't work on other sites.
Does "match" here mean any page whose base is the supplied URL?
For example, if i'm coding an app that i'm going to host at semanticbible.com, is that a sufficient URL, or i do i need to more specifically say (for example) http://semanticbible.com/cgi/holyweek/ ?
Yes, the hostname must match, and the path must start with the path of the URL you registered.
Registering http://semanticbible.com will let you use that API key anywhere under that domain. Registering http://semanticbible.com/cgi/holyweek will only allow you to use that API key on pages under /cgi/holyweek on semanticbible.com
You can't rely on HTTP_REFERRER - it is up to the browser what is sent (it can be faked quite easily), and some internet security software blanks it out. Is the service accesible via https? If so, that would eliminate packet sniffing.
Available Now
Build your biblical library with a new trusted commentary or resource every month. Yours to keep forever.
