Google app engine: security of cron jobs

You need to add

login: admin

to the hander, as detailed here: Securing URLS for Cron

E.G.

application: hello-cron
version: 1
runtime: python27
api_version: 1

handlers:
- url: /updateData
  script: reports.app
  login: admin

In addition to what Paul C said you could create a decorator that checks the X-Appengine-Cron header as illustrated below. Btw, the header can't be spoofed, meaning that if a request that hasn't originated from a cron job has this header, App Engine will change the header's name. You could also write a similar method for tasks, checking X-AppEngine-TaskName in this case.

"""
Decorator to indicate that this is a cron method and applies request.headers check
"""
def cron_method(handler):
    def check_if_cron(self, *args, **kwargs):
        if self.request.headers.get('X-AppEngine-Cron') is None:
            self.error(403)
        else:
            return handler(self, *args, **kwargs)
    return check_if_cron

And use it as:

class ClassName(webapp2.RequestHandler):
    @cron_method
    def get(self):
        ....

Google app engine: security of cron jobs

Tags:

Security

Google App Engine

Cron

Related

Recent Posts