We have a webpage that we provide to affiliates through an IFrame. IFrame has many javascript files that request AJAX requests on our servers. Iframe requires API key itself, which is for the partner's domain. This prevents the display of iframe if it is installed on the domain that is not registered. However, copying iframe content and javascript files from only one registered site and hosting it on non-registered site will be very easy.
Ideally, we want to use the API key to ban Ajax requests and prevent our server from providing the requested data for non-registered sites. However, it seems that the HTTP_REFERER server variable is not set for Ajax requests. Which site can we tell that is coming from the request? Is this possible? If not, how can we prevent unauthorized access?
There is no way to trust HTTP_REFERER You want your client's website to use an API To contact your website on secure links, and get a temporary session string, which is used as a part of the source URL for IFRAME, how does Google (not with referrer)
Make URL for a limited time for IFRAME, of which Prahlad you can demonstrate a good message about going back to the page of the client.
Comments
Post a Comment