agermose

ok, maybe there is some misunderstand here :)

Im starting to suspect that we are not talking about the same API - I hope there is more than one :)

In simpledns admin you go to the api section and there you can create a password and say if the api should be enabled or not. If enabled you can call http://mysimplednsserver.com/listzones and stuff like this for updating, deleteing, listning and so on.

If you enable a password, then you need this of cause - if not you can do this from any server that has access through the firewall and of cause from localhost. Since HC is installed on one of the webservers at least from this server there needs to be access to calling URLs like this - if we are talking about the samme kind of API access.

so probably using the HC webadmin pages everything is ok, BUT the problem is that any other site on the same server will have access to the same API without any password protection. Wide open.

what ever you have codein IN the HC code is not my concern (in this thread anyway), just that the http api of simple dns is left wide open for others to call and exploid from any other script on any other website on this server.

(I never really understod why You needed to install HC on the webserver instead of installing it on the DNS server and dedicating this server as a "hc admin" server - again making a small contrib to security - keeping things apart)

It seems question was not explained well or could not be understood from either one. Are you saying that if you enable Simple DNS to run API with password then HC wont be able to communicate with Simple DNS password protected API since HC does not have any such thing defined on their side.