I know that user agent can be faked easily when connecting through HTTP. I want to ensure access to my SOAP API only from iPhone devices. We don't know how many users will be using this when it is released but it might be a lot and we can't handle traffic from outside of the devices. Any other means to prevent this?
A:
No.
(Outside of asking them if they're on an IPhone of course.)
jagprinderdeep
2009-10-09 19:11:09
A:
Unless you control both sides, there's no way to determine the type of the other party reliably over HTTP.
Franci Penov
2009-10-09 19:15:03
A:
It's not clear to me why limiting just to iPhones would be the way to go since I guess what you're really worried about is volume per user on the API (iPhone or not) and number of users. Spoofing the client is pretty easy so a better way to would be either to issue keys/ids on signup and then limit volume on each key or by IP address. Using keys also means you'll have a better ID on your users which might be useful in the long run. IP addresses could be problematic with mobile clients but at least you can do some basic load limiting.
steve
2009-10-10 11:55:12