Secure access to api only from chrome extension

I am working on allowing a chrome extension to post a new entry to my site via post data.

I want to be able to lock it down so only the chrome extension can post. If I get post data from anywhere else I want to reject it.

Does anyone know if/how this is possible or how you would go about doing it?

Answer

Unfortunately, validating clients (whether a Chrome extension, an Android app, an iOS app, client-side JavaScript, or some other client) from a web server is an unsolved problem.

There are some things that you can do to deter abuse and mitigate this problem such as:

  • Requiring user authentication (and rate-limiting usage per-user)
  • Rate-limiting access on the basis of IP addresses
  • Requiring tokens to be provided that are handed out in prior requests (this can be used to ensure that certain APIs are called in certain expected orders / patterns).
  • Showing a CAPTCHA or other challenge for anomolous or over-limit usage

While you can additionally check things such as user agent, referrer URL, or a token that you embed in the Chrome extension, with any distributed application, it is easy to reverse-engineer these and mimick them in a counterfeit app, and so these aren’t true solutions.