Menu
Community /Pin to ProfileBookmark
@NogDogMay 06.2021 — #Do users have to be logged in to access the page in the first place? If not, I don't know of any sure-fire way to prevent them from accessing anything the page accesses if they're knowledgeable enough. If, on the other hand, they do have to be logged in, then you can set up some sort of PHP endpoint that serves up the JSON after validating that they're logged in.
@NogDogMay 07.2021 — #Either/both of those (session cookie, referrer) could be worked around, if by nothing else than first sending a cURL request the web page, capturing all the headers and HTML from the response, then building the direct request to the JSON data with whatever headers and such are needed.
Perhaps that's all you need, if it's enough to stop ninety-something percent of whatever small percentage of your site's users might be inclined to try to access that JSON directly. If your desire is 100% blockage, that's probably going to be difficult to do (at least based on my imperfect knowledge); but maybe making it difficult enough will stop most, and be "good enough"? @NogDogMay 08.2021 — #
Typically there's something like having an API key that you get issued with your account. You could layer SSL/TLS certs on top of that, and other stuff I only slightly understand. (Working on something right now where we have an api key, a secret key, TLS cert from Digicert, then first have to acquire a limited-time JWT with that stuff from one service, then submit the actual API request with that JWT along with the TLS cert -- makes my head spin.)
JSON files
I’ve calling JSON files via JS fetch method.
How can I make it so only I can call these and get the response?
My concern is people can find these URL’s by looking into my page source and then directly linking to them and getting the JSON.
I’ve thought, having a secret key in my PHP somewhere, that’s then checked on my page which returns the JSON?
Not sure how this could work, sessions won’t work as they can be found?
Sign in
to post a comment6 Comments(s) ↴
0
@NogDogMay 06.2021 — #Do users have to be logged in to access the page in the first place? If not, I don't know of any sure-fire way to prevent them from accessing anything the page accesses if they're knowledgeable enough. If, on the other hand, they do have to be logged in, then you can set up some sort of PHP endpoint that serves up the JSON after validating that they're logged in.<i>
</i><?php
session_start();
if(!empty($_SESSION['something'])) {
header('Content-Type: application/json'); // or whatever the correct header is?
readfile('/path/outside/of/public_html/file_of_interest.json');
}
else {
header('HTTP/1.0 404 Not Found');
}
0
@NogDogMay 07.2021 — #Perhaps that's all you need, if it's enough to stop ninety-something percent of whatever small percentage of your site's users might be inclined to try to access that JSON directly. If your desire is 100% blockage, that's probably going to be difficult to do (at least based on my imperfect knowledge); but maybe making it difficult enough will stop most, and be "good enough"?
0
@NogDogMay 08.2021 — #>@kiwis80#1631387 how do some API services restrict access to paid services etc
Typically there's something like having an API key that you get issued with your account. You could layer SSL/TLS certs on top of that, and other stuff I only slightly understand. (Working on something right now where we have an api key, a secret key, TLS cert from Digicert, then first have to acquire a limited-time JWT with that stuff from one service, then submit the actual API request with that JWT along with the TLS cert -- makes my head spin.)