The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

Bradly (1) [Avatar] Offline
#1
You mention the verifying the publisher using the referrer isn't perfect as it can be manipulated fairly easily. Are there any other ways you know of to ensure the publisher's identity?

Thanks,
Bradly
benvinegar (68) [Avatar] Offline
#2
Re: Publisher impersonation question
Hey Bradly,

One way is to provide the publisher with a secret key, which they use on the back-end to sign a message with a timestamp. This signed message is placed in their HTML (as a JavaScript variable or HTML attribute), and your third-party script reads this value and passes it along to your servers. You can then test the authenticity of the message on your servers (and make sure the timestamp hasn't expired).

This of course requires your publishers to write some back-end integration with your services, which means additional overhead on their part.

You can also use the "Origin" header as well as the Referer. Or even insist that referers be present in order to use your application.

Hope this helps. Apologies for the late reply.

- Ben