Yes, you can assume this.
The only cases where this header will be allowed through to the app are:
(a) another app is requesting your app using our urlfetch api [or,
the app is urlfetching itself]
(b) the request came from a logged-in admin of your app
While (a) is the primary intention of this header, (b) can be useful
for debugging purposes.
On Tue, Jul 26, 2011 at 2:39 AM, Andrin von Rechenberg
<[email protected]> wrote:
> Hey there
> I was wondering if the header HTTP_X_APPENGINE_INBOUND_APPID
> could be faked by a client or if the Google Frontends authenticate this
> header
> somehow?
> Is it secure to assume that if HTTP_X_APPENGINE_INBOUND_APPID is present,
> the request is really from that app?
> Cheers,
> -Andrin
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/google-appengine?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en.
