I like that the API key would be flagged explicitly as “allowed in GET” at the user level.
As a whole the option could be open for any GETs. The rule I like is, when operating in this mode:
- User API key is 100% restricted to a single specific GET controller action
- User API key is flagged as allowed in GET query params.
This limits the impact of any leak here via a proxy cause the key will never be reused.
I guess {get: 'list#new'} , {get: 'list#latest'}
would work as well.