Menu
I have a web API that I want to allow any domain to submit data to. However, to keep bogus spam down I want to find some way to insure that a request stating it's from a certain domain actually is from that domain and that someone isn't trying to trick me by posting on another domains behalf.
For example, if http://example.com submits some data - thats good. If script kiddie #237 submits data claiming to be example.com - that's bad.
At first I was going to use a secret key system to HMAC sign each request - but signup is going to be open, free, and automated for this API. I'm not sure how I could tell if PersonA or PersonB really owns http://example.com and deserves the API key.
870
Provide a key file that they will have to upload on that domain. And you check the existence and valid data against your internal database.
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
