Forum Feedback Javascript API Security using Domain Whitelist

Problem with the website? Confused about something? Or maybe you just have something you'd like to suggest. This is the place to do it.

Javascript API Security using Domain Whitelist

Postby ruzippizur » June 27th, 2019, 3:55 pm

The game key can be easily discovered through Javascript/Client.

To prevent hacking and abuse, I would suggest having a Domain Whitelist option so the API can only accept client connections originating from a domain or domain list given by the developer. The Google reCaptcha project which is a widely used website verification tool has been using this method (whitelisting domains, including localhost for testing) and it works perfectly.

For Javascript using web to mobile apps like PhoneGap/Ionic, you could have it checked through package names ( for validation.

Or is there a way that this can be done through Server C# Code, how?
Posts: 4
Joined: June 14th, 2019, 10:33 am

Re: Javascript API Security using Domain Whitelist

Postby Henrik » September 20th, 2019, 8:00 am

This is a pretty interesting request, and it makes perfect sense. It would only work for game clients using websockets though, i.e. the JS client and the Unity WebGL client, but those might also be the ones most likely to benefit from this.

We'll take a look at it!
Posts: 1827
Joined: January 4th, 2010, 1:53 pm

Return to Feedback