Secure API Key (for Vector Tiles usage)

akuchuri · ‎04-20-2023

Hello,

We use API Key on the frontend to load Vector Tiles. We would like to secure it in the best way. I understand that we can set referrers to allow only our domain to use it. But considering the fact that referrers can be forged, is it really a secure mechanism?

Does Esri's referrer checking mechanism use some kind of special check against forging?

What could you suggest for additional security?

RaymondHuang_Sg · ‎04-20-2023

In general http referrer checks are indeed a basic means of security but not foolproof, anything sent from the client can be tampered with many available tools, including referrer spoofing and user-agent spoofing.

To better secure the API key, we will need to add layers of protection, for example, to keep the key on server side instead of leaving it in plain view at the front end. Key needs to then be retrieved via an custom API to return the key to the app whenever needed.

To make that even more secured, have the server side use the key to retrieve the necessary content before sending the content to the requesting app client, not exposing the key in the entire process. We can then add other security measures on this API end point such as limiting the accessible IP addresses and ratelimits, etc.

just my two cents worth...

Cheers,
Raymond

akuchuri · ‎04-25-2023

Thank you for the answer, Raymond!

Generally, I would agree about moving the key the server side. But do you think it's possible for Vector Tile requests? These requests are closely tied with the frontend side.

Here is an example of the request from Esri site:

https://basemaps-api.arcgis.com/arcgis/rest/services/World_Basemap_v2/VectorTileServer/tile/13/3272/...

And requests like this are going very frequently each time we need a new portion of the map on the screen - on moving or zooming in and out. I imagine if it were possible on the backend, it would still be very heavy on the resources to go every time through the backend, wouldn't it?