AnsweredAssumed Answered

Token security when HTTP referer is used

Question asked by aslaken on Sep 8, 2016

Hi, 

 

I'm creating a web application using the ArcGIS javascript API v. 3.14. This application is going to show a secure image layer that I can access by providing a generated token in the request. I'm planning to generate the token based on the http referer option, which is described in the following way in the documentation: 

 

  • HTTP Referer: When this (default) option is selected, the issued token can only be used in requests referred by the specified URL. This is the URL of the page from which the request is made to the ArcGIS resource. Use this approach when building an application with the ArcGIS API for JavaScript or other REST-based applications, in which individual clients will request maps and data directly from the ArcGIS Server web service.

 

I interpret the above to mean that the token will only work for requests made via the specified url, and that the token will not work when used in a request made from any other website. Hence I would think that the token is not sensitive information.  

 

My question is as follows:

 

Is it ok to hardcode the http referer generated token into the request made to the service in my webapp (i.e. this means that anyone who looks at the source code can see the token), or is this a problem in terms of security? 

Outcomes