AGS security for public portal

Discussion created by on Oct 10, 2013

We are developing a public portal using Silverlight Api. We want our rest services for the portal to be locked down such that our application is the only means to view/use them. I have enabled token based security on our services, and created a role (w a single user) that has access to those secured services. I then generated a long-term token using those credentials, with httpReferrer set to our web apps base URL. I have then included this token in my calls to our arcgis server in my silverlight code.

I am wondering if placing the token in the silverlight code is still a liability, even though the httpReferer is set.

Web security is not my strong point, so any suggestions welcome!

Thanks so much,
Matt Giles