Adding header option for making secure request #660
Conversation
|
Can I ask what your use case is? |
|
We use proxy server to secure the google key, but the URL is exposed to public since it will be accessed by our mobile app. To make sure all requests to the proxy server are coming from the mobile app, we are passing the user JWT in authorization header so we know the request is valid. |
|
Is this web specific? This sounds like it solves a pretty narrow use case, and may be a little out of scope for this library. |
|
It is not web specific. The plug-in requires unrestricted key to be used in the mobile app, but we needed to secure the google key, we did that by using a proxy server. Using a proxy server doesn’t eliminate the security issue, we still need to protect the requests that is coming in. With the authorization header the plug-in makes secure calls to the proxy server. If it’s out of scope what do you recommend to make secure calls when using proxy server to protect google key? Open to ideas, please advise. |
|
We are currently at the same place in our evaluation of this library, this seems to be the only feasible approach to protecting our API key, but we would need to add a header with the auth for the proxy. @bell-steven what is being described in this PR would appear to be the best practice IMO (for those uncomfortable handing out wide-open API keys) we would likely use this approach if landed, as a plan B for being unable to use an Apple/Android restricted API key |
|
Closing in favor of #734 |
Enhancing the custom request url option to include headers for making authorized requests.