How to control who uses my web widget

Question

I\'ve created a web widget that displays user specific information from my site. This widget is java script based (I followed this example), and can be embedded in other sites.<

Answer 1

Rather than directly serving the file, you could try using request.referer and only optionally sending the JavaScript file (via a controller action) based on a list of approved web hosts. You can use send_file to conveniently send the JavaScript to the client (set caching options in HTTP header so browsers don't repeatedly ask for the file). However, the referrer can be spoofed and may not be sent depending on HTTPS => HTTP configurations.

You also might consider requiring an API key for your JavaScript file (just append it on as part of the JavaScript file request). While it's not foolproof by any means, it makes tracking usage much more simple. (And by using logs, you may be able to discover non-legit uses).

Answer 2

You have to use some additional tricks along with OAuth in order to positively identify the client.

This question was answered in details in here.