I have an API key for the Google API that I would like to use in all my requests. Some of these requests will come from a Google App Engine application (Python 2.7). I planned to use the UrlFetch library to complete the POST request, basically as follows:
headers = {'Content-Type': 'application/json'} payload = {'longUrl': request.long_url} result = urlfetch.fetch([API_REQUEST_URL], method=urlfetch.POST, payload=json.dumps(payload), headers=headers) json_result = json.loads(result.content)
I set the referrer restriction on my API key to *.[my-app].appspot.com/* with the hope that this will protect my API key from unauthorized use and deny the need to update the restriction based on IP addresses (since App Engine IPs change all the time).
This approach did not help me, because it seems that urlfetch does NOT set the value for referrer on its own. I suppose I can add my own referrer, but then someone else could. This approach is not very safe.
What is the best practice? How do I restrict the key, given that I am using urlfetch from App Engine? If I use the HTTP Referrer restriction, what address do I use?
Thank you very much.
source share