如何限制对我的Web服务的访问? [英] How to restrict access to my web service?
问题描述
我有 http://example.com/index.html ,它在HTML中使用JavaScript(XmlHttpRequest)以<$ c $调用网络服务c> http://example.com/json/?a = ...& b = ...
I have http://example.com/index.html, which from within the HTML uses JavaScript (XmlHttpRequest) to call a web services at http://example.com/json/?a=...&b=...
网络服务返回 index.html 一个JSON信息数组,然后显示在 index.html 上。
The web service returns to index.html a JSON array of information to then be displayed on index.html.
因为任何人都可以查看 index.html 的源代码,看看我是如何调用JSON Web服务的( http://example.com/json/ ),如何阻止人们直接调用我的JSON Web服务?
Since anyone can view the source code for index.html and see how I'm calling the JSON web service (http://example.com/json/), how do I prevent people from calling my JSON web service directly?
由于Web服务本质上是一个开放的读取进入我的数据库,我不希望人们滥用Web服务并开始直接从Web服务获取数据,启动DoS my服务器,获取比他们应有的更多信息等。
Since the web service is essentially an open read into my database, I don't want people to abuse the web service and start fetching data directly from the web service, start DoS my server, fetching more information than they should, etc..
更新:
无法限制 http://example.com/json/ 的请求只来自 http://example.com/index.html 的同一服务器(IP)和URL请求?
Is there no way to limit requests for http://example.com/json/ to only come from the same server (IP) and URL request of http://example.com/index.html?
含义,不能 http://example.com/json/ 检测到请求者是( $ _ SERVER ['REQUEST_URI' ] == http://example.com/index.html )并且只允许这样做?
Meaning, can't http://example.com/json/ detect that the Requester is ($_SERVER['REQUEST_URI'] == http://example.com/index.html) and only allow that?
推荐答案
没有简单的方法来阻止。如果您的服务不是非常受欢迎,因此可能成为拒绝服务攻击的目标,我不会打扰。
There are no easy way to prevent that. If your service isn't extremely popular and thus being likely target for denial of service attacks, I wouldn't bother.
我想到的一件事是使用一次性物品令牌(适用于10或100个请求)。
One thing which came into my mind is using disposable tokens (valid for 10 or 100 requests).
其他(天真)方法是检查请求中是否存在X-Requested-With标头,但当然可以很容易伪造。所以,我的建议是:什么都不做,除非问题是真的。
Other (naive) approach is checking that X-Requested-With header exists in request, but of course that can be easily faked. So, my advice is: do nothing unless the problem is real.
还有一个想法:哈希计算。这个想法是要求客户端对每个请求执行相当昂贵的计算,而验证服务器端的计算是便宜的。对于单个请求,开销非常小,但是对于1000个请求,可能需要大量的CPU时间。我不知道hashcalc是否已用于阻止DoS的Web服务。几年前它被提议作为反垃圾邮件措施,但从未流行过。
One more idea: hash calc. The idea is to require client performing rather expensive calculation per every request, while validating the calculation in server side is cheap. For a single request the overhead is very small, but say for 1000 requests it may take significant amount of CPU time. I have no idea if hashcalc has been used to prevent DoS'ing web services. Some years ago it was proposed as antispam measure, but never became popular.
这篇关于如何限制对我的Web服务的访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
