-------------------------------------------- On Thu, 1/5/17, Evan Jones <[email protected]> wrote:
Subject: Re: [google-appengine] Re: Securing access between GAE applications To: "Google App Engine" <[email protected]> Date: Thursday, January 5, 2017, 12:53 AM Yes, I'm pretty sure that Google strips that header from any external requests, so it can't be spoofed. I can't find anything that explicitly says that in the official documentation, but there are hints in the following sources. If I were you, I would verify that this is true before you rely on it: https://cloud.google.com/ appengine/docs/python/how- requests-are-handled#app- engine-specific-headers https://cloud.google.com/ appengine/docs/python/config/ cron#securing_urls_for_cron http://stackoverflow.com/ questions/30237946/google-app- engine-inter-module- communication-authorization# comment49814138_30237946 https://code.google.com/p/ googleappengine/issues/detail? id=12069 On Wed, Jan 4, 2017 at 5:36 PM, Mateusz Haligowski <[email protected]> wrote: That sound like a great idea, but does AppEngine guarantees that there is no way to spoof the header? I can always just make a curl request with the header set, and the project id is also a part of the URL, isn't it? W dniu środa, 4 stycznia 2017 13:06:01 UTC-8 użytkownik Evan Jones napisał:You can check the X-Appengine-Inbound-Appid header on requests coming it to your service. On App Engine, it will be set by Google, so you can trust it. Check that it matches the project(s) you expect, and return some HTTP error if it doesn't match. See: https://cloud.google.com/appen gine/docs/go/appidentity/ On Wednesday, January 4, 2017 at 2:39:13 PM UTC-5, Mateusz Haligowski wrote:Hi google-appengine,I started playing with GAE a couple of weeks ago and absolutely love it. I created a bunch of REST services with Go and deployed them to GAE. I've also created a webapp that talks to my backend services. Now, I want to handle the user authentication with Auth0 on the webapp side, and came to realization that my backend services are publicly available. My question is: what is the approach to secure them? Is there any way to tell GAE "Accept only http(s) calling from other GAE services?". Thanks,Mateusz -- You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group. To unsubscribe from this topic, visit https://groups.google.com/d/to pic/google-appengine/FAxqswxW4 dk/unsubscribe. To unsubscribe from this group and all its topics, send an email to google-appengine+unsubscribe@g ooglegroups.com. To post to this group, send email to google-appengine@googlegroups. com. Visit this group at https://groups.google.com/grou p/google-appengine. To view this discussion on the web visit https://groups.google.com/d/ms gid/google-appengine/ce6063f9- d974-4eed-beec-f1469bf15145% 40googlegroups.com. For more options, visit https://groups.google.com/d/op tout. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/CACRPLjjNS8h5Y1CFS9oEksbkQKbu0cLaw%2BfqMVCafyF9pAsR9A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. ntalnirea lui Nicolae Titulescu cu Maxim Litvinov in 1936 -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/1265129763.198521.1483590667345%40mail.yahoo.com. For more options, visit https://groups.google.com/d/optout.
