This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud run rest API security without asking users to login

Posted on 12-28-2023 02:35 AM
Himanshu0010
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have developed a chatbot widget that can be integrated into any website by hosting it and embedding it in an iframe. I have also built a REST API using Flask and deployed it on Google Cloud Run. The front-end widget communicates with the API by sending requests that contain the user query, the session ID, and the website domain where the iframe is embedded. The API responds with the chatbot output.

However, I am facing a security issue. The API URL is visible in the client-side code, and the API allows unauthenticated invocations. How can I secure the API so that only my widget can access it? How can I prevent unauthorized calls to the API without asking visitors to login or provide any credentials?

0 2 312
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Alance
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello,

I don't think this is related to cloud run functionnality.

Each web site should have his own api key build in the iframe src. Than handle the api key in your code.

Take a look on how google map allow iframe for dev with a api key.

Have fun.

0 Likes

Posted on --/--/---- --:-- AM
NoCommandLine
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

See my response to a related question

 

..... NoCommandLine ......
 https://nocommandline.com
A GUI for Google App Engine
    & Datastore Emulator
0 Likes