With the old app_id and code_id setup we were able to use a whitelist in order to determine from which URLs request would be allowed using the credentials.
I cannot find any setting for this with the new apiKey. How are we supposed to secure this, as the key is appended to all request and thus visible to website-users.
You mentioned you can't secure the key to domains - however I see it here:
The best solution is to use a JavaScript key, where hosts protections are enabled. You can use the JavaScript keys to call the REST APIs. Our docs do not make this clear, but we've got a doc fix coming out to make it more obvious. But yes - just use the JavaScript key.
Recommend that you use Oauth 2.0
https://developer.here.com/documentation/authentication/dev_guide/topics/token.html
Related
I'm writing an application that use woocommerce REST API with Basic authentication. In each request I should add a username and password in base64 encoding. However, each authentication header can i preview in the browser, decode and execute requests from another place which I would not like, of course.
Did I configure apps incorrectly?
I do not understand how it would be safe, since everyone can get the keys from the header.
How to configure this connection correctly?
Maybe should I use JWT auth?
woocommerce-rest-api IS NOT frondend rest api. To be able to use this on the front should be properly adapted ACL. This help me understand
I'd like to use Google Identity Toolkit API to identify the user of a web site.
I made the example program without problems, but when trying to push it on a remote web server it does not work.
I made a new project (so I have new credentials for server, client and apikey).
I made all the modification to the PHP and JSON file but when I try to login I get : There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed
I don't understand where referer are specified because the aipkey is auto generated when you change the API configuration and in API configuration there are not referers or ip indication.
Where am I doing wrong?
Go to google developers console.
Select the project you previously created and then go to Credentials option in the APIs & auth menu on the left.
Under API keys, select browser key. You can configure the browser key referrer there.
Under api key there was only one key automatically created by the api configuration.
This key had no name and i can't find a way to modify or view it.
I tried to delete it several times, but every time was created without name.
I tried to add a new key by myself, but that key wasn't accepted.
I had to delete the auto generated key, create a new one, and then go modifying the api config.
Then it worked....
I have created a session management for my site. Site will authenticate using a service and the details will be maintained in a cookie. I am trying to access the services from my RESTful server but getting errors. I found its because the non-authentication of the request. I hope I should send my withCredentials:true along with the request. But when I use this withCredentials:true I am getting this error in the console.
Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
What is the problem?
Yes it is a CROS issue. If you are using CROS in your site, just don't use wild cards in access-control-allow-origin. You need to mention your inputs there. Only one site can be given permissions at a time. You can't give permissions to access with two or more domain names. If you want to do that, you need to add another way to server for that domain. May be with different requesting url or so.
I have asp.net Web services, and I use them in my site using JS ajax calls.
I would like to set up a security mechanism (of any type) that will allow only users surfing the site to call them, and not just anyone requesting from those webservices.
How can I do that?
Thanks
Have a look at Building Secure Web Services.
A simple way will be to know the IP address of your site and then check whether its same as
HttpContext.Current.Request.UserHostAddress
Allow access only if both matches.
You can use ASP.NET Authentication.For more on authentication in webservirce check this
I have implemented security to my Webservices with Web Service Enhancements 3.0. There are many basic examples on the net that you can check out. But basically you want every Method to be called through a Post instead of a Get, and you would send a SOAPHeader with every HTTP call. The service/method checks the SOAPHeader validates and returns valid content only if the user is authenticated/valid.
Good luck!
I've built ASP.NET Web Services in the past that either were publicly consumed, or used Windows Authentication. I now need to build a Web Service that uses the SOAP 1.1 protocol and it needs to be secured with a username and password from the caller.
It seems setting up the infrastructure for WCP is overkill for one or two Web Services. Any other suggestions? I was also thinking of using ASP.NET 4.0 Beta, if anyone has explored that for this scenario, it would be helpful to know your opinion.
Thanks in advance for your suggestions.
The simple way is to create a special header that carries the auth info for every call and authenticate/authorize the user that way
Here's some sample code:
http://aspalliance.com/805_Soap_Headers_Authentication_in_Web_Services
Note that in this way you are sending clear text username and password so you would want to use ssl or use some kind of digest authentication
There are different ways of doing this. One could be enabling access to a specific sets of IPs. If the IP doesn't match one of the lists then you could easy reject the call at method's level.
Otherwise, you could create another method that would return a token and then make all the relevant methods to expect that token in return in order to process the request.
Use SSL. Force everyone who consumes your webservice to use https.
//Check for Secure Channel: HTTPS
if (!Context.Request.IsSecureConnection)
return "The HTTP Connection must use Secure Sockets (HTTPS)";