保护REST API的最佳方法是什么? [英] What is the best way of securing a REST API?

问题描述

我正在使用Jersey用Java开发REST API，保护它的最佳方法是什么?我从基于密码的身份验证Servlet Context中了解了各种内容，并且听说了令牌化等等.但是，保护行业安全的行业标准方法是什么，以确保没有人可以通过仅在浏览器中键入URL来从GET请求中获取数据，只需从PostMan进行POST调用，等等?是否有任何有关实施此最佳方法的学习材料?

I am developing a REST API with Java using Jersey and what is the best way of securing it? I looked at various things from password based authentication, Servlet Context , and I heard about tokenization and so on. But what is the industry standard way to secure it and make sure nobody can get data from a GET request by just typing the URL in browser, simply make a POST calll from PostMan and so on? Any learning materials on implementing this best way?

用简单的英语来说，我要问的是，如何通过确保API仅适用于我们的应用程序来保护我的REST API?做到这一点的方法可以是从密码到令牌的任何东西.我现在正在尝试实施它，但现在我正在学习它，但是在我需要学习什么之前，因为我正在寻找最佳实践和行业标准方法.

In simple English, what i am asking is, how can I secure my REST API by making sure the API is accesible only to our app?. The method of doing it can be anything from password to token. I am learning it now trying to implement it, but before I need to know what to learn, because I am looking for the best practice and industry standard way of doing so.

推荐答案

这里是开始保护API的好地方:

Here is pretty good place to start to secure your API:

1. 使用HTTPS
2. 使用用户名/密码进行身份验证
3. 用户成功登录后，您会为他们生成一个令牌
4. 将令牌分配给该用户(简便的方法是将其保存在数据库中)
5. 要求用户在每次请求时都发送该令牌
6. 在响应任何请求之前验证令牌

话虽这么说，但存在一些担忧.您应该研究如何实现这些目标:

That being said there are some concerns. You should research how to achieve these:

• 将凭据以加密形式存储在数据库中，以防数据库受到损害.

• Store credentials in your DB in an encrypted form in case your DB is compromised.

如果您将令牌存储在数据库中，则验证需要进行数据库查找，这是否会成为问题，您是否会承受重担?

If you store your tokens in a DB, validation requires a DB lookup, will that be an issue, are you expecting heavy load?

如果使用无状态身份验证(例如JWT)，则如何撤消访问(如果需要). (提示:查看访问权限+刷新令牌方案+黑名单)

If you use a stateless authentication, for example a JWT then how do you revoke access if you need to. (Hint: look into access+refresh token scheme + a blacklist)

您如何运输令牌，标头，cookie?

How do you transport your token(s), header, cookie?

通过跨站点脚本(也称为XSS)和跨站点请求伪造(也称为CSRF或XSRF)保护您的API.

Protect your API from cross site scripting(a.k.a. XSS) and cross site request forgery(a.k.a. CSRF or XSRF).

注意:这些只是我脑海中的一些快速思考，您可以在网上找到很多有关这些的信息.

NOTE: these are just some quick thoughts off the top of my head, you can find a lot of information about these online.

这篇关于保护REST API的最佳方法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！