Secure access to api only from chrome extension

I am working on allowing a chrome extension to post a new entry to my site via post data.

I want to be able to lock it down so only the chrome extension can post. If I get post data from anywhere else I want to reject it.

Does anyone know if/how this is possible or how you would go about doing it?

5 thoughts on “Secure access to api only from chrome extension”

  1. Unfortunately, validating clients (whether a Chrome extension, an Android app, an iOS app, client-side JavaScript, or some other client) from a web server is an unsolved problem.

    There are some things that you can do to deter abuse and mitigate this problem such as:

    • Requiring user authentication (and rate-limiting usage per-user)
    • Rate-limiting access on the basis of IP addresses
    • Requiring tokens to be provided that are handed out in prior requests (this can be used to ensure that certain APIs are called in certain expected orders / patterns).
    • Showing a CAPTCHA or other challenge for anomolous or over-limit usage

    While you can additionally check things such as user agent, referrer URL, or a token that you embed in the Chrome extension, with any distributed application, it is easy to reverse-engineer these and mimick them in a counterfeit app, and so these aren’t true solutions.

  2. You can add a simple check in the code.

    Following code stops anyone who is trying to access your api outside the chrome extension.

    if(substr($_SERVER['HTTP_ORIGIN'],0,19) !== "chrome-extension://") die("Not Allowed")

Leave a Comment