Excuse me if the title is plain idiotic with respect to the contents.
We were debating a model for an interaction-heavy site in which there will be
site.com
api.site.com
on the same server. the site.com is powered by PHP and api.site.com will be powered by an alternative web framework. The same or different servers answer the two domains.
The rendered site makes AJAX calls to api.site.com.
Securing this is easy if the application were 'all PHP'. The session feature can prevent HTTP requests that allow:
an unlogged stranger from accessing a user's data
a legitimately logged-in user from requesting another user's data
Question 1: How do you secure the internal API so that we can be sure about the legitimateness of each request?
I have googled up AJAX and same origin policy, but I didnt get far with them.
I am thinking randomly generated 'tokens' that will be acknowledged by both domains.
Question 2: Is there a specific name for this model?
You should take a look at JSONP. jQuery has a good example on it: http://api.jquery.com/jQuery.getJSON/
You need to add jsoncallback=? to the URL to make it work.
$.getJSON("http://api.flickr.com/services/feeds/photos_public.gne?jsoncallback=?"
With this, you can avoid the Same origin Policy
The jsoncallback will be a timestamp, which should be echo-ed by the PHP script which outputs the JSON like this:
jsonp1277656587731(/* rest of the JSON here */);
With the number here ofcourse being the randomly generated string, or timestamp in case of jQuery JSONP
Related
I know CURL & HTTP authentication to allow API calls only from certain requests.
I have something like this
www.mysite.com/list
www.mysite.com/api
list page calls the api page using jQuery Ajax post request and api page echos jSON response.
I am already checking HTTP referrer to verify Post requests come from certain origins but these requests can be forged.
I cannot use $_SERVER['remote_addr'] as this will check the client ip not the source ip of the API request.
As both the pages are hosted in the same web server and in the same hostname, its not possible to restrict based on hostname or IP address.
I am aware of some alternatives like
cURL with HTTP Authentication.
Encryption of jSON response and Decrypting before printing.
But is there any way to restrict these API pages to securely block access from outside the server or hostname?
Assuming you want to restrict access to "Joe Random user who is visiting your website with a web browser".
Not really.
There's no way to reliably determine that the client is a regular web browser. Anyone writing some other client to access your API can easily have it visit your website and get whatever tokens they need to prove that.
The best you can do is some sort of heuristic approach that looks for unusual traffic patterns (such as unusually high numbers of similar requests from one source, or ones which have very stable intervals between requests). You'll get false positives and negatives from that kind of approach though.
I may be wrong, but I think you are trying to invent csrf tokens. But with little modification:
You should store generated token in session/cookie before rendering /list. I am not sure whether jQuery send session/cookie with ajax request by default, but I think it should not be a big problem if not, to append it.
When you will process /api request you should validate cookie/session also for the token existance.
I have a jQuery script in a clientDomain.com/show.php page that shows some data loaded from a serverDomain.com/echo.php page using jQuery.getJSON(). I want that only allowed domains can show the data because I don't want that unauthorized people install the script in their own website without my permission. Is there any way to restrict the response of a jQuery.getJSON() only to certain domains? The solution should prevent also the use of iframe by the client. In conclusion, the data should be seen only if someone visit directly serverDomain.com/echo.php page or one of the allowed client domains. Thanks in advance for the support!
My request/response script works like the first example in jQuery.getJSON() | jQuery API Documentation
I can only code the client jQuery script (that will be ditribuited to the allowed domains) and the serverDomain.com/echo.php page (that is my property).
Don't do that. Use auth tokens instead that are updated regularly. Anybody can fake an HTTP referrer.
Here's a good answer on SO which covers resful api authentication: REST API Token-based Authentication
So I'm creating an app for a specific website, which has comments on certain articles/entities or whatever. I already know how to fetch those comments with RSS, but I'm also curious if I can implement a reply functionality from the app itself. The site doesn't have an API for that, but I know that when you write a comment, it sends a POST request with the contents of the form.
Is there a way to find out what that POST request looks like, so I can send a similar one from my app? The end goal is to be able to reply/post new comments from my app to that website.
Any thoughts? Just in theory.
Is there a way to find out what that POST request looks like, so I can
send a similar one from my app?
Use some debuger, like FireBug for FF or DragonFly for Opera.
so I can send a similar one from my app?
It would be not secure if anyone could see the nature of requests and make such requests in their apps. Apps may be bad and send spam.
There should be some Captcha or CSRF protection.
If there is - you plan will not work.
If there isn't - it is security hole.
My advice.
Better create some API an call it from your APP.
Simple HTTP, XML-RPC, or SOAP.
This will be more secure and nice usefull thing to know.
Look at the page which sends the post request. If the HTML code or javascript is simple you can understand which is the POST data sent to the server. Otherwise maybe you have access to the server and can look at the code there?
Point your browser with Chrome or Firefox (with the Firebug plugin) and open the inspector (Control-Alt-I / Command-Alt-I), then the "Network" tab. There you'll see real-time requests and responses to the server.
If you need to implement authentication from your app, google "cookie jar" and your language.
On many places (Google, Yahoo, Stack Exchange... ) I found that Ajax coding (for example php+Ajax login system) is not, and cannot be secure enough. So many reserve about Ajax security, and nowhere you can find an example of secure Ajax code.
At the same time, all this sites (even Facebook, Twitter...) USES a lot of Ajax code, for registering and loging users, for commenting features etc. Seems like Top Secret matter.
So, could someone show an example of secure php-Ajax code ?
An AJAX request is just like a normal browser request, just in the background. So if you would normally have a login form that posts data to your checklogin.php, you can do the same with AJAX and its equally secure.
Another thing to keep in mind is with cross site javascript calls. This is used for example when you are creating apps on facebook to transfer data from/to your server. These request have to be signed to make sure the data is comming from a valid source. This is done by using a secret and public key. These sites use oauth to handle these request. You can also implement this in your own site, but for any regular authentication (login/post messages/etc) this will not be needed. Just code like you would if it were a regular request.
We have a webpage that we provide to partner companies via an iFrame. The iFrame contains several javascript files that make ajax requests to our server for data. The iFrame itself requires an API Key that is keyed to the domain of the partner. This prevents the iFrame from displaying if it is installed on a domain that isn't registered. However, it would be pretty easy to simply copy the contents and javascript files of the iFrame from a registered site and host them on a non-registered site.
Ideally we'd like to use the API key to restrict Ajax requests and prevent our server from providing the requested data for non-registered sites. However, it appears that the HTTP_REFERER server variable is not set for Ajax requests. How can we tell what site that the request is coming from? Is it possible? If not, how can we prevent unauthorized access?
Relying on HTTP_REFERER isn't the way to go. You want your client's website to use an API to contact your website over a secure link, and get a temporary session string, which is then used as part of the source url for the IFRAME, which is how google does it (not with referer.)
Make the url for the IFRAME valid for a limited time, after which you display a nice message about going back to the client's page to start over.
When the iframe is requested you can generate a unique ID on your server, then set that as a cookie on the client. Every AJAX request should contain that cookie. Only keep around the ID's for the last hour or so.
You can never rely on HTTP_REFERER because some proxy servers and firewalls will strip it out to preserve users' privacy.
The challenge is that the iframe is authorized to a specific domain, so my API Key is tied to that. I followed the following tutorial to generate my API keys.
https://ajax.dev.java.net/ajax/api-keys
Do you think that relying on the HTTP_REFERER variable will prevent users from accessing the iframe? Sun claims that Google uses this method for Google Maps API authentication.
Once the API key has been authenticated, then the cookie approach should do the trick, I think. Thanks!