Instagram + Heroku + Django + HTTP headers

[Dr Shauny]

Hi,

I have a Django/Python app that is hosted on Heroku. The app uses the Instagram API.

I am trying to secure the app by enforcing signed HTTP headers using X-Insta-Forwarded-For.

The actual header value is constructed as - "The expected value is a combination of the client's IP address and a HMAC signed using the SHA256 hash algorithm with your client's IP address and Client Secret"

Does anyone know what IP information should be used for a Heroku hosted app? - the app IP is dynamic and unpredictable but the Instagram devs have told me that just an approximate IP is required, possibly only a Heroku gateway IP. How do I find out what is a suitable IP? (I dont want to use a proxy to fix the IP).

Also how do I actually add this header information to http headers? Middleware has been mentioned but I dont know where to start with coding a middleware solution. Is it possible to do this at the web server level on Heroku - would this be easier than middleware?

Anyone had experience of a similar setup that could give me some pointers here. All info much appreciated.

Thanks,

S.

[Daniel Roseman]

Interesting question. I also happen to be creating an app on Heroku using Instagram, and I hadn't come across the signed header option before, so thanks. (Interestingly it doesn't seem to be easily googleable - the only reference appears to be your question, and something in Russian. I wonder if it's very new?)

Looking at the docs, it seems that it doesn't want the IP of your app itself, but the value of the *client*, which you can access in the X-Forwarded-For header. The StackOverflow question at [1] quotes Heroku's director of security (who also, not coincidentally, happens to be Django's very own Jacob Kaplan-Moss) as stating that Heroku preserves the original client IP and prepends any other values, so it looks as if you can pass in the string available from `request.META['X-FORWARDED-FOR']` directly.

If I've misunderstood that and you do need the IP of the server, it looks like the only way to do that would be to use one of the Heroku add-ons that routes outgoing data through a static proxy. Proximo and QuotaGuard seem to be the options - only QuotaGuard offers a free development option, though.

As regards how to get the value into the request, middleware wouldn't be an appropriate solution here at all. However looking at the repo for the Python instagram client, just yesterday a pull request ([2]) was merged that added in support for exactly this - so you can pass in the IP and your client secret when instantiating the API object.

  [1]: http://stackoverflow.com/questions/18264304/get-clients-real-ip-address-on-heroku

  [2]: https://github.com/Instagram/python-instagram/pull/76

--

DR.