49

For example, check out this Facebook plugin.

In the client side the API key is clearly visible. What is stopping another user from obtaining this key and using this feature on a different site?

I figured a very naive implementation would be to check the domain the request comes from but things like this are easy to fake.

If I were to create something similar, how would I go about securing the authentication process?

I want as much of this work to be client side, though some form of server authentication will be required surely? Any links or advice would be greatly appreciated.

Update

Similar question about API keys that I found useful.

Improve this question
1
  • 1
    Have you looked at twitter's @anywhere? The API key is open, but they use other information /secret to test the data Commented Oct 21, 2011 at 9:01

2 Answers 2

Reset to default
13

In three words: server-side validation. FB itself will throw an error when you use a key that's incorrect for the given site. The API key is not supposed to be secret (as opposed to the secret key).

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

I'm guessing in that case the api key will change for every single request right?
@Finglas: No. Why should it? The API key identifies your application, and that is tied to a single domain; if you use it on another domain, the API key won't match when it's checked on FB via AJAX and the UI won't load.
That's what I'm getting at. How can we trust the domain, if I registered site A, what's stopping me from making site B using the same key but bodging the headers prior to sending a request?
@Finglas: How exactly do you bodge the headers? They are not sent by your server, but by the user's browser.
Things such as Firebug/tamper data like tools etc... Despite this an API key sounds like it will do the job. An interesting question of the same topic can be found here stackoverflow.com/questions/2256305/…
|
3

I haven't done this myself, but I know that the kind of attack you are worried about is called Cross-site Request Forgery (CSRF). The Wikipedia article on that gives some hints on how to prevent it.

Improve this answer

3 Comments

That should be the title of this question. "How to prevent Cross-site Request Forgery?"
@mr5 If "Preventing CSRF" were the title, people like me who don't know the name wouldn't find the question
@Eponymous Well, you are correct! I can't remember why I wrote this stupid comment. Just ignore it. lol

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.