0

I'm using jQuery with Bitly API to automate links shortening, but since the code on client side the API key can be easily compromised, regardless of obfuscation.

My question: Is there a way to restrict requests to a specific domain? In other words, if the request originated from example.com then pass it, otherwise refuse.

I searched through bitly account preferences and API but couldn't spot that ability, perhaps because of my limited experience. I'd appreciate it if anyone can help with this or provide an alternative workaround.

Thank you in advance.

Mina Hafzalla
  • 2,681
  • 9
  • 30
  • 44

1 Answers1

1

Even if Bitly had a mechanism to lock down API calls by requesting IP, with your current design, it's each individual client IP that would be making the request, so your only possible way to lock this down would be by referring URL domain on the browser. It's reasonably easy to spoof a referring domain, and so I'd avoid exposing your API key unless there's no other way.

I'd relay the API request to Bitly through your web server (that way, the API key can remain only on the server and will never be visible to clients).

Ryan Nigro
  • 4,389
  • 2
  • 17
  • 23