Forum Feedback Javascript API Security using Domain Whitelist

Problem with the website? Confused about something? Or maybe you just have something you'd like to suggest. This is the place to do it.

Javascript API Security using Domain Whitelist

Postby ruzippizur » June 27th, 2019, 3:55 pm

The game key can be easily discovered through Javascript/Client.

To prevent hacking and abuse, I would suggest having a Domain Whitelist option so the API can only accept client connections originating from a domain or domain list given by the developer. The Google reCaptcha project which is a widely used website verification tool has been using this method (whitelisting domains, including localhost for testing) and it works perfectly.

For Javascript using web to mobile apps like PhoneGap/Ionic, you could have it checked through package names (com.example.app) for validation.

Or is there a way that this can be done through Server C# Code, how?
ruzippizur
 
Posts: 8
Joined: June 14th, 2019, 10:33 am

Re: Javascript API Security using Domain Whitelist

Postby Henrik » September 20th, 2019, 8:00 am

This is a pretty interesting request, and it makes perfect sense. It would only work for game clients using websockets though, i.e. the JS client and the Unity WebGL client, but those might also be the ones most likely to benefit from this.

We'll take a look at it!
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: Javascript API Security using Domain Whitelist

Postby Henrik » October 15th, 2019, 4:33 am

Hey ruzippizur,

This feature is now live on PlayerIO: https://playerio.com/news/21-new-featur ... -whitelist

Test it out and let us know what you think!
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: Javascript API Security using Domain Whitelist

Postby Brttnelson » March 16th, 2021, 8:03 am

ruzippizur wrote:The game key can be easily discovered through Javascript/Client.

To prevent hacking and abuse, I would suggest having a Domain Whitelist option so the API can only accept client connections originating from a domain or domain list given by the developer. The Google reCaptcha project which is a widely used website verification tool has been using this method (whitelisting domains, including localhost for testing) and it works perfectly.

For Javascript using FMWhatsApp web to mobile apps like PhoneGap/Ionic, you could have it checked through package names (com.example.app) for validation.

Or is there a way that this can be done through Server C# Code, how?

Wow nice thanks for sharing this amazing info I really like to read it and I would like to share it with my friends.
Brttnelson
 
Posts: 5
Joined: January 9th, 2021, 8:44 am


Return to Feedback