Topic on Project:Support desk

Disable API access for external sites?

8
93.184.128.17 (talkcontribs)

I don't want others to use the API (read or write).

Can I restrict the API access so only my own server cann access it?

Ciencia Al Poder (talkcontribs)

Not inside MediaWiki, but you can create rules in your webserver.

The access to the api has the following characteristics:

  • Access from the clients (users) of your wiki, for example to add a page to the watchlist
    Those HTTP requests should have a "Referer" (sic) header from the page originating the request.
  • Access from external sources
    Those HTTP request won't have a "Referer" header, or they'll contain a different server. But note that they could fake a Referer header!

This is a bit weak, but may be useful to you.

Florianschmidtwelzow (talkcontribs)

Hmm, the question is: who are "others"?

Subfader (talkcontribs)

Sorry for the late reply and thanks for the suggestions.

I'd prefer a safe method only allowing API calls from my own server. So "others" is any extenal website or app.

Could I restrict read rights for api.php?

Ciencia Al Poder (talkcontribs)

No, there's no configurable user right for restricting api reads.

Florianschmidtwelzow (talkcontribs)

You could add a new virtual host to your apache configuration pointing to another webroot, copy your actual wiki into it (which will use the same database as your actual wiki) and activate API (and disable it on your actual, public wiki). Now add a htaccess and deny requests from all hosts, except localhost/127.0.0.1. Nevertheless: this seems to be an ugly workaround. I'm wondering, why you don't want to activate the API for all users? All, what you can do in the API can be done through the webinterface, too :)

Subfader (talkcontribs)

Someone could grab all my content and make an own site / app with it, no?

88.130.69.198 (talkcontribs)

That is how the internet works. He could btw also parse the HTML code of the wiki to get the content. If you don't want others to read your content, then don't publish it. And: No, also storing it online at a "secured" place will not help you, just have a look at the latest celebrity photo leaks.

Reply to "Disable API access for external sites?"