-1

I am quite new to creating services using PHP-cURL. I want to offer some data/service to only registered domains. I know that I can identify these domains using app ID and API keys for data encryption.

However, I was thinking about different types of threats. What if some of my customers give their credentials to another domain? How can I validate caller domain (or any other solution) so that the credentials will be used only by that domain? I really tried to detect exact domain name that is calling my service, but I fail every time, because anyone can set a fake domain name in the header. I was thinking about using IP, but that would be a really complex solution.

Also, I don't want to limit calls. I just want to be sure about which domain I am giving data.

schroeder
  • 123,438
  • 55
  • 284
  • 319
jaydip sinh Parmar
  • 109
  • 2

2 Answers2

0

I would approach this in two ways:

  1. Deterrence: Make it clear to your customers that this is illegal, and make sure it is illegal , i.e. the contract they sign with you binds them to not publish or distribute their credentials.

  2. Mitigation: You can implement the service in a way that the client requests something and your server immediately returns a 200 response, closes the communication, and then its your server the one who initiates a request to the client sending the information they requested before. This way you validate their request against your records of valid servers. It is not fool proof but does make it more difficult for them to share their credentials.

Tsundoku
  • 127
  • 1
  • 5
Purefan
  • 3,560
  • 19
  • 26
  • first thanks for the answer.I got your point and it's looks like i am looking for but only one doubt so please tolerate me.Data i send to my client-domain is use to display on screen so clien-domain request is made by on page call / render. now if i am not send data as a response but from my new call as you say.how can I handle flow ? maens i have have to make page hold until my service respond. – jaydip sinh Parmar Aug 15 '15 at 17:38
  • There are various techniques to continuously check a server side state, for example long-polling, websocket connections... You can store the response from your API in a redis/memcache store and keep alive the connection from your web browser to your API client, checking if the response arrived every so often – Purefan Aug 17 '15 at 07:20
0

One possibility would be to use the reverse DNS information based on the connecting IP address.

This is far from being a silver bullet as reverse DNS are usually customisable. You can also extend the system and add a validation step using email. When you detect a new IP for a know domain, you ask for a mandatory validation by the domain owner. This would however be a problem if your client use IPs which change frequently.

Having a quota on the requests is a good incentive for client not to share their credential, their are in risk of being blocked and this is bad for their own services, even if the quota is high.

M'vy
  • 13,033
  • 3
  • 47
  • 69