Restrict Data Access to Specific Domains#
You can give specific domains and IP addresses access to your dataset APIs by specifying the domains in a given publishable API Token. After specifying an API token’s domain restriction, requests that use the API token are only valid if their HTTP referer header satisfies the domain restriction.
The HTTP referer header is a result of a misspelling of the word “referrer” that has now become part of the HTTP standard
Set up a Domain Restriction#
Go to API Tokens. It’s listed in your user menu.
The API Tokens page appears, listing your tokens in order, oldest to newest.
Click the Manage button next to the API token you want to set restrictions for. The Token settings page appears for the token.
In the Allowed Domains field, enter the domain and/or IP address values where you want to allow requests from.
When you’re done entering allowed domain values, click Done. The restriction goes into effect in about 30 seconds.
Now requests that use the token must have an HTTP referer header value that matches one of the Allowed Domains values.
Single Domain Restrictions#
A domain restriction can be a URL or an IP address. The form validates each domain restriction. If any of the domain restrictions are invalid, the Update domain button remains disabled.
A wildcard character (“*”) is appended to all domain restrictions. This allows allow the referer to include anything in the path following the restriction. For example, the following HTTP referers are considered valid requests for the restriction
If you want to further restrict paths for the example, you can update the restriction to a longer path. So, if you set the domain restriction to
www.example.com/app/stock, then these would be valid referers:
The following referers, however, would not be valid under the restriction
Protocol Restrictions (HTTP v. HTTPS)#
If you don’t specify a protocol, both the HTTPS and HTTP protocols are allowed. If you want to limit calls to HTTPS only, prefix the restriction with
https:// like this:
https://www.example.com/stock is a valid referer, while
http://www.example.com/stock is not a valid referer.
Allowing multiple subdomains#
You can append a wildcard
* character to the beginning of restrictions to support multiple subdomains. For example, the following referers are valid under restriction
Multiple Domain Restrictions#
You can set multiple domain restrictions by separating them by a space character. For example, a restriction of
www.mysite.com *.example.com allows requests from the following referers:
A referer need only satisfy one of the restriction’s domain patterns.
Please note that while restricting the HTTP referer does provide a layer of security, people can make requests with your token and spoof the referer header.