Restricting Apache Access Through Facebook
I'm deploying a facebook app and I'm wondering if there's anyway of restricting Apache access to the context of the app. That is, disallowing access to the files outside the actual running of the app.
Perhaps, though, I didn't make myself clear.
I have a facebook app that consists of a Flash client and some other files. I have the delivery of these already working under Apache.
Now, here's the gist of my question: a facebook app runs inside of an iframe in facebook, and I wanted to know if it were to possible to restrict access to my app so that people running the app inside facebook could access the client and other files while restricting access outside of the scope of the facebook iframe.
Another way would be app specific with a none token set per client instance (which you verify via POST only valid signed_request payload), or even hardcoded in the flash app. But even that can be spoofed.
Edit: Ah, guspaz beat me to it