Modify Account Security, Distributed API, and Allowed Referrer Settings
Posted by on 11 April 2011 09:46 AM

If using the "Advanced Method" API (sending secret key) or a 3rd-party script with the "Lock to Account" feature enabled, the system will add your referrer automatically, and these instructions are unnecessary.

If using the "Simple Method" (embedded) or manually adding allowed referrers, then see below:

Using the "Distributed API" will override your list of referrers.

Locate the Account Security section in the ShrinkTheWeb Dashboard

Click the Manage Security Settings link.
Manage Security Settings


This opens the Security form, were you will find your Access Keys and a field to specify referrer domains/IPs.
Profile Edit Security

Lock Access to Account

This feature is enabled by default.  It locks your account credentials to the referrers or sites you specify. Disabling this feature is not recommended as it may open your account to possible abuse.

Note: "Lock Access to Account" may NOT be disabled by Free users for abuse reasons.


Allow ONLY Distributed API Security

This feature is disabled by default and not available to Free Accounts. It is designed for users who need the highest level of security by preventing access by any means other than the distributed API security method. This option overrides "Lock to Account" and "IP Override" and ignores the "Allowed Referrers" list. Sample code for this feature can be found in the STW PHP Sample code.


Override Lock to Account for IPs Only

This feature is disabled by default.  It is designed for users who use the embedded method, by default, but also have distributed applications (mobile, social, etc) where all IPs must be allowed.  This feature should only be enabled by advanced users.

Note: "Override Lock to Account for IPs Only" may NOT be disabled by Free users for abuse reasons.


Lock to Account (Allowed Referrers) List Entry

   Adv Method Requests (i.e. via a script or 3rd Party Plugin) - Uses your server's IP address

  1. Scripts that send your secret key will automatically add your server's IP
  2. In special cases, use PING to get your website's IP address and enter it
  3. In special cases, you may also need to enter the website's domain.tld

   Embedded Requests

  1. Enter Domain - domain.tld or subdomain.domain.tld, if necessary*
    *It is not necessary to use www.domain.tld OR subdomain.domain.tld if you already have domain.tld because it overrides all the others. For instance, entering ONLY www.domain.tld would mean all requests from http://domain.tld would be blocked! 
  2. Enter Specific Pages  - Use a trailing slash and path to display screenshots ONLY on specific pages.
    • domain.tld/ = all except homepage; or 
    • domain.tld/path/to/page.htm = only the specific page entered

   Direct Requests (i.e. putting into your browser for testing) - Enter your local IP address (What Is My IP)

Check that the information you have added is correct and click the Save Button button when ready.

Note: Only the domains/URLs and IPs specified in your "Allowed Referrers" list will be able to use your account unless the "Lock to Account" is disabled. If "Override Lock to Account for IPs Only" is enabled, then ALL IPs will be allowed but domains/URLs not on the list will still be blocked.

If you have confirmed all your settings are accurate, enable "Full Logging" for further troublshooting.

Note: Using a shared IP Address is not supported with Free accounts.  If you are using a shared IP address, that has already been reserved by another user, you will receive the following error when trying to add it to your "Lock to Account (Allowed Referrers)" list:

"The domain or IP ( is already listed in another account!" 

Note: Referrers can not be used in multiple accounts and multiple accounts are NOT allowed.



Q: "How many referrers may I add to an account?"
A: We currently support about 100,000 "Allowed Referrers" PER account. 

Q: "What if I want to show screenshots on Social Sites or in Mobile Apps?"
A: If developing for mobile or social applications, it may be necessary to upgrade to Basic or PLUS and implement the "Distributed API" for maximum security. This assumes you have an endpoint on your own server(s) that communicates with your app and also with our service. A simpler, but much less secure, alternative is to check "Override Lock to Account for IPs Only" (or unlock the account [strongly discouraged]). If you are unable to use the "Advanced Method" API, your basic credentials will be available and not locked. In that case, you would need to keep an eye on usage and use Full Logging to identify any service theft of your credentials.

Q: "Why can't I add certain sites, like Facebook, Twitter, Google, etc?"
We maintain a "whitelist" of master referrers, which contains several public sites. Generally speaking, if you do not control the domain; then you should not enter it. For instance, domains like are blocked from being entered, because nobody can show screenshots on google, except for google.

(1 vote(s))
Not helpful

Contact Us | PagePix Benefits | Learn More | STW Forums | Our Partners | Privacy Policy | Terms of Use

©2016 ShrinkTheWeb. All rights reserved. ShrinkTheWeb is a registered trademark of ShrinkTheWeb.