There website that allow to restrict their API usage for certain domains - so they will receive and respect only requests coming from those domains.
How do they check the sender domain? Can it be faked?
CodePudding user response:
They can check the sender domain by validating the sender domain PubKey certificate attached to the sender HTTPS request, which should be signed by a CA to certify the sender domain. This should work based on the SSL-based encrypted network data traffic.
CodePudding user response:
Another way to do it is to support TLS Mutual authentication at the server in which case the client will have to authenticate itself by presenting the appropriate TLS Client certificate which is issued to it by a mutually trusted certification authority.