Javascript API - Restrict Domain by providing whit

2019-05-18 19:13发布

问题:

My Application provides an API Key and Javascript code to put on their site (similar to google anayytics code).

All the calls in the API use JSONP to communicate with our server.

Since the API key is sensitive, we have our users coming back and asking to provide a whitelisting option for the domain. This is similar to Linkedin, Facebook, Twitter and Google.

Should I be using referrer option to restrict the domain? But a rogue can always manually add this using normal http api and gain access.

Is it a good idea to encrypt (or hash?) and send the window.location within the API and compare that at the server side.