0

I am using the Google API Console and would like to restrict based on website (HTTP) referrer instead of IP, as the IP could change eg with hosting change.

The IP restriction works fine, but when I switch to website restriction and add my website with some wildcard characters, eg: http://example.com/* it fails.

My assumption is that since the code is running on the server (PHP) that it is by default showing the IP, not the domain name.

Is there any way around this - ie to ask the server via PHP to "report" the website domain name as a referrer instead of the IP address so that I can use the HTTP referrer restriction option? Or am I stuck?

Drewdavid
  • 3,071
  • 7
  • 29
  • 53
  • There is no way to ensure another client will set the referrer header. All you could do is reject any requests that didn't have it, and perform the required filtering when it does exist. – prieber May 19 '21 at 19:05
  • 1
    Are you using the API server side or client side? And is this a shared usage or just a single install? – Chris Haas May 19 '21 at 22:36
  • Hi Chris. Server side; will go into a plugin that will be used on several websites, but share the same API key. I can choose the IP restriction, but as mentioned I am aware this (the IP) could change from time to time... – Drewdavid May 19 '21 at 23:13
  • 1
    So, depending on scale and how you want to manage this, a common pattern is to have a central server under your control that. When your plugin is activated, it can call out to this server, and either this server just gives the API keys, or you request a login to prove auth. Another way is to use the API API, where you dynamically authorize IPs which I think it is https://cloud.google.com/iam/docs/reference/rest/. Regardless, in a server environment, referrer doesn’t make too much sense because it is so easily spoofable that no one uses it – Chris Haas May 19 '21 at 23:31
  • Ok phew - thanks for the info! It's a small project and in this case if the IP changes it's not going to break anything, it'll just result in an empty field of JSON data. What I might do instead is use the built-in IP restriction and then build some kind of simple alert if the IP changes (or if the field is empty). – Drewdavid May 20 '21 at 00:15

0 Answers0