API key referrer restrictions do not work

Hi,

From the Algolia Portal, I have added a new API key with the right restrictions to limit referrers.

The key settings are (given for illustration):
Description: This is my new key for testing
Indices: my_index
Valid for: 0
Max API calls/IP/hour: 0
Max hits/query: 0
HTTP Referers: https://www.mydomain.com*
ACL: Selected all the checkboxes

In the testing app backend, when I acess the app from a url starting with: https://www.mydomain.com I get this error:

Uncaught AlgoliaSearch\AlgoliaException: Method not allowed with this referer …
“POST /index.php HTTP/1.1”, host: “mydomain.com”, referrer: “https://mydomain.com/index.php?content=algolia-sync

Am I missing something?

Hello,

Based on the error message, it looks like the referrer sent to the Algolia API is https://mydomain.com and not https://www.mydomain.com (note the www) as configured in the key.

You might have your server configured to redirect all www calls to the root directly, and thus the script executed on the root actually sends its referrer. One way to fix this issue would be to update the configuration of your server to send the same referrer as the url it was accessed from (but this will be out of the scope of what we could assist you with).

Another solution would be to update your key to use *mydomain.com* as the HTTP referer, to accept both www.mydomain.com and domain.com as referrers.

Hope that helps

Thanks for the reply.

I have checked the web server config for the referer settings and the visited url is the one which is logged.

For allowing the whole domain, even when I allow the entire domain mydomain.com (match all referers which contain the string mydomain.com) for the HTTP Referers in the API key settings of the Algolia dashboard,I still get the same error message “Method not allowed with this referer …”. When I remove the referer in the Algolia dashboard above (Leave the “HTTP Referers” empty, the sync works!).

Any idea?

The issue has been fixed with the help of the Algolia support team.

For reference. I had to force the HTTP referer header during the interaction with Algolia index.
https://www.algolia.com/doc/api-reference/api-methods/set-extra-header/

$client->setExtraHeader('referer', 'https://www.mydomain.com');