why we generate api keys for domains to use web api when we have referrer to check the source
+1
A:
The value of HTTP_REFERER can easily be faked. If you want to verify that somebody (or some website) is really entitled to access a service, you have to involve some sort of authentication, which generally means an API key (or for people, a username/password).
David Zaslavsky
2010-05-21 13:44:33
What's this crazy correct spelling of REFERRER? (http://gadgetopia.com/post/2687)
Dominic Rodger
2010-05-21 13:47:18
oh yeah, I didn't even notice that. Now "fixed" ;-)
David Zaslavsky
2010-05-21 17:29:31
if the api key is for some JS Api like google's then anybody can see what api key you are using.. and he also can use the same api key.. then whats the use of generating a key against a domain
CMNAJS
2010-05-23 11:22:44
I'd have to see an example, but from what you're describing it sounds like in that case there's nothing to stop you from taking and using the API key. Google (or whoever) might have checks in place to make it difficult, but they can't make it impossible.
David Zaslavsky
2010-05-23 19:59:10
say only registered users generate keys. and system assigns key for domain to user then still why cant system assign only domain to user instead of key
CMNAJS
2010-07-27 11:45:04