Google app engine: cron security

Question

Google app engine: cron security

GAE provides cron jobs for scheduled jobs. How to set some protection so that someone cannot directly execute HTTP GET? In the following example, I can enter / updateData at any time in the browser url field to complete the task in the following settings:

cron: - description: daily update of the data in the datastore url: /updateData schedule: every day 00:00 timezone: ...

+6

security google-app-engine cron

Sugar tang Jan 7 '13 at 10:15

source share

2 answers

You need to add

 login: admin

as described here: URLS Protection for Cron

eg.

 application: hello-cron version: 1 runtime: python27 api_version: 1 handlers: - url: /updateData script: reports.app login: admin

+6

Paul collingwood Jan 7 '13 at 10:28

source share

nizz · Accepted Answer · 2013-01-07T13:58:14+0000

In addition to what Paul C said, you can create a decorator that checks the X-Appengine-Cron header, as shown below. Btw, the header cannot be faked, which means that if a request that was not created from the cron job has that header, App Engine will change the header name. You can also write a similar method for tasks by checking the X-AppEngine-TaskName in this case.

 """ Decorator to indicate that this is a cron method and applies request.headers check """ def cron_method(handler): def check_if_cron(self, *args, **kwargs): if self.request.headers.get('X-AppEngine-Cron') is None: self.error(403) else: return handler(self, *args, **kwargs) return check_if_cron

And use it like:

 class ClassName(webapp2.RequestHandler): @cron_method def get(self): ....

Google app engine: cron security

More articles: