Hacker News new | past | comments | ask | show | jobs | submit login

if your api is modifying server state w/o HMAC, api is probably broken.



HMAC won't save you if the application is public (and therefore available to scrapers. If a search engine or other bot can get a link to the page from another page in the app just as any interactive user would, it can also get a link with a correct HMAC token just as any interactive user would.


That isn't how HMAC works. http://en.wikipedia.org/wiki/Hash-based_message_authenticati...

The private key of the API user is hashed with the full URL of the service. The user id is sent in the header of the request. The server looks up the user id and gets their private key, it then uses that key to hash the URL, comparing it to the one passed.

There is no way for a scraper or bot to get the HMAC token.


For an authenticated user, yes, as you have somewhere to hang a known-by-the-server-but-unknown-elsewhere key from.

For a public interface you don't necessarily have that. Though once you are dealing with a service that can be modified by unauthenticated users you have larger problems from malicious interactive users than from accidents by scrapers, so I'm probably arguing an irrelevant point...




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: