Replies: 3 comments 2 replies
-
|
Setting a custom user agent or other http headers is not supported at this time. I think it would be possible in principle to implement this and I shared some thoughts in #158, but it's probably a fair amount of work. Regarding the specific use case of securing an API key, I'm not sure how much security you would really gain from doing that. An attacker could still intercept the applications traffic and see which user-agent is being used... |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your response. I can't speak to the amount of work or priority of this change, but https headers are encrypted, so this approach should give a measure of security; simple traffic sniffing wouldn't break it. |
Beta Was this translation helpful? Give feedback.
-
|
But so is the URL with the API key, right? So if someone can get your API key, either by decompiling the app or by running the app on a device they own, installing a custom root certificate and sniffing the traffic, they can use the same attack methods to see the user-agent, right? |
Beta Was this translation helpful? Give feedback.
-
|
I believe so; this isn't perfect security. Maybe akin to locking your front door; someone can still break a window, but they can't just walk in. |
Beta Was this translation helpful? Give feedback.
-
|
If you are looking to add custom headers to your requests, you can try the |
Beta Was this translation helpful? Give feedback.
-
I'd like to lock down our maptiler key to our app. They suggest limiting their key to a custom user-agent. Could we override the user-agent that gets sent in the mapping service requests for this?
I'm not sure what other map providers do for this, so I'm not sure if it's generally applicable, or if there should be a more general feature (like being able to override other http headers).
Or maybe there's already an established way to do this that I missed?
Beta Was this translation helpful? Give feedback.
All reactions