Is HTTP_X_APPENGINE_INBOUND_APPID authenticated?

[Andrin von Rechenberg]

Hey there

I was wondering if the header HTTP_X_APPENGINE_INBOUND_APPID

could be faked by a client or if the Google Frontends authenticate this header

somehow?

Is it secure to assume that if HTTP_X_APPENGINE_INBOUND_APPID is present,

the request is really from that app?

Cheers,

-Andrin

[Jon McAlister]

Yes, you can assume this.

The only cases where this header will be allowed through to the app are:
(a) another app is requesting your app using our urlfetch api [or,
the app is urlfetching itself]
(b) the request came from a logged-in admin of your app

While (a) is the primary intention of this header, (b) can be useful
for debugging purposes.

> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-appengi...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-appengine?hl=en.
>

[Jon McAlister]

I should also point out that, while this header is not yet documented,
it's not going away either, and will be documented in an upcoming
release.

[MiuMeet Support]

Why isn't this header present if I call my own app from my app?

I'm trying to build an appengine lib that will interact with an appengine app,

but if that appengine app uses the lib too, the headers will be missing... :(

Cheers :)

-Andrin

[Jon McAlister]

Right now it's only being sent when the request is to an appspot.com
url. Is that the case in your example?

[Andrin von Rechenberg]

Yes, from prod-eagle.appspot.com to prod-eagle.appspot.com

-A

[Jon McAlister]

It also does not apply if using urlfetch.py, unless you set
follow_redirects=False explicitly (or the equivalent option in java).

On Fri, Jul 29, 2011 at 11:17 AM, Andrin von Rechenberg