保护REST API的最佳方法是什么? [英] What is the best way of securing a REST API?
问题描述
我正在使用Jersey
用Java开发REST API,保护它的最佳方法是什么?我从基于密码的身份验证Servlet Context
中了解了各种内容,并且听说了令牌化等等.但是,保护行业安全的行业标准方法是什么,以确保没有人可以通过仅在浏览器中键入URL来从GET
请求中获取数据,只需从PostMan
进行POST
调用,等等?是否有任何有关实施此最佳方法的学习材料?
I am developing a REST API with Java using Jersey
and what is the best way of securing it? I looked at various things from password based authentication, Servlet Context
, and I heard about tokenization and so on. But what is the industry standard way to secure it and make sure nobody can get data from a GET
request by just typing the URL in browser, simply make a POST
calll from PostMan
and so on? Any learning materials on implementing this best way?
用简单的英语来说,我要问的是,如何通过确保API仅适用于我们的应用程序来保护我的REST API?做到这一点的方法可以是从密码到令牌的任何东西.我现在正在尝试实施它,但现在我正在学习它,但是在我需要学习什么之前,因为我正在寻找最佳实践和行业标准方法.
In simple English, what i am asking is, how can I secure my REST API by making sure the API is accesible only to our app?. The method of doing it can be anything from password to token. I am learning it now trying to implement it, but before I need to know what to learn, because I am looking for the best practice and industry standard way of doing so.
推荐答案
这里是开始保护API的好地方:
Here is pretty good place to start to secure your API:
- 使用HTTPS
- 使用用户名/密码进行身份验证
- 用户成功登录后,您会为他们生成一个令牌
- 将令牌分配给该用户(简便的方法是将其保存在数据库中)
- 要求用户在每次请求时都发送该令牌
- 在响应任何请求之前验证令牌
话虽这么说,但存在一些担忧.您应该研究如何实现这些目标:
That being said there are some concerns. You should research how to achieve these:
-
将凭据以加密形式存储在数据库中,以防数据库受到损害.
Store credentials in your DB in an encrypted form in case your DB is compromised.
如果您将令牌存储在数据库中,则验证需要进行数据库查找,这是否会成为问题,您是否会承受重担?
If you store your tokens in a DB, validation requires a DB lookup, will that be an issue, are you expecting heavy load?
如果使用无状态身份验证(例如JWT),则如何撤消访问(如果需要). (提示:查看访问权限+刷新令牌方案+黑名单)
If you use a stateless authentication, for example a JWT then how do you revoke access if you need to. (Hint: look into access+refresh token scheme + a blacklist)
您如何运输令牌,标头,cookie?
How do you transport your token(s), header, cookie?
通过跨站点脚本(也称为XSS)和跨站点请求伪造(也称为CSRF或XSRF)保护您的API.
Protect your API from cross site scripting(a.k.a. XSS) and cross site request forgery(a.k.a. CSRF or XSRF).
注意:这些只是我脑海中的一些快速思考,您可以在网上找到很多有关这些的信息.
NOTE: these are just some quick thoughts off the top of my head, you can find a lot of information about these online.
这篇关于保护REST API的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!