I have a web API that I want to allow any domain to send data to. However, in order to preserve fictitious spam, I want to find a way to guarantee that the request pointing it to a specific domain is indeed from that domain and that someone is not trying to trick me by placing it in another domain.
For example, if http://example.com provides some data, that’s good. If script kiddie # 237 provides data that claims to be example.com, this is bad.
At first I was going to use a secret key system to subscribe HMAC to each request, but registration will be open, free and automated for this API. I'm not sure how I can determine if PersonA or PersonB really owns http://example.com and deserves an API key.
source
share