URL-based security

This document describes the URL-based security features that you can enable on your Apideo key. This is not the only security feature existing. If you haven't done so, you should start by reading the security overview.

When URL-based security is activated on your Apideo key, Apideo will check that a program that connects using your Apideo key is executed from a web site you authorized.

How to set-up URL-based security?

URL-based security is enabled in your Apideo account. Log into your account and navigate to Subscriptions -> Configure security settings. From the security settings screen, you can enable or disable URL-based security.

When you enable URL-based security, you will need to provide a list of websites that are authorized to use your Apideo key. For instance: "www.mywebsite.com". If you have multiple subdomains, you can use wildcards in the URL. For instance: "*.mywebsite.com". Please note that Apideo relies on the URL, not on the IP-address.

Once the security is enabled, any people trying to use your Apideo on unauthorized web-site will be denied. This is in particular true in a typical development environment. If you are testing Apideo locally (using a "http://localhost" URL, you will be denied access to your Apideo key unless you specify "localhost" in the list of allowed URLs. Of course, when "localhost" is added in the list of allowed URLs, anyone accessing a website locally can use your Apideo key, so you should only keep this URL in the list when development is ongoing.

Security level

Implementing URL-based security is not sufficient to have a completely secure application.

URL-based security partly relies on the Apideo flash files providing the correct URL to the server. A hacker could reverse-engineer the flash file and modify it to lie about the URL. This is however tricky to do.

To put things simple, by activating URL-based security, a simple developer won't be able to go on your web-site, look at your source code using "right click->View source code", take your Apideo key and use it on his web-site. If the developer is a bit of a hacker, he might manage to use it however by crafting a hacked version of Apideo flash files.

To avoid this, you will need to implement Token-based security.

You might wonder: why should I implement URL-based security if it is not 100% secure and if I need to add Token-based security. The short answer is: because it is easy! This is just a form to fill in the Apideo console. Token-based security will require you more efforts, and starting with URL-based security is perfectly fine if you have a free account and are not afraid of someone spying on a room. Indeed, what is the interest of stealing an Apideo key if it is free?