如何发布访问REST API的jQuery代码,但是要防止未经授权的使用 [英] How to publish jQuery code accessing a REST api, but have it secured from unauthorized use
问题描述
这个问题类似于这个问题:
我想要对服务器上的REST api开发基于jQuery的查询,以检索一些数据以显示在网页上.
我希望网页和jQuery的授权用户能够访问此数据,但不希望其他人能够复制该jQuery并将其放在自己的网站上以任何方式访问此数据.需要明确的是,这都是在浏览器中发生的客户端-无需涉及任何服务器端代码...
如果可能的话,实现此目标的正确策略是什么?
我不希望查看网页的最终用户必须了解他们在浏览器中正在进行的任何操作...
谢谢!
如果您不要求最终用户对您的网站进行任何身份验证,那么您就不能将其用作身份验证方法,而您想要您的网页无需任何其他干预就能使用REST API,那么就没有万无一失的方法来保护REST API.如果要在未经身份验证的浏览器中使用数据,那么任何人都可以检索该数据.
还请记住,他们也总是可以只运行您的网页,也可以从您的网页中解析数据,因此,如果不需要身份验证即可使用此网页,则该数据已经对公众可用.您无需身份验证就无法真正保护它.
有些事情可以使人们使用REST API更加困难,尽管没有一件事情是万无一失的.这些只是障碍,不是安全.
-
您可以将过期令牌放入您的网页中,将其包含在Web请求中,然后在REST API中确认它是未过期令牌.这样可以防止某人直接从另一个浏览器页面上使用您的REST API(他们没有合法的令牌),但不会阻止服务器首先获取主机页面,检索令牌然后使用它来访问API .
-
您可以尝试检查引荐来源网址,并且仅满足那些来自您的域的Web请求.这也不是万无一失的,因为引荐来源网址可以被欺骗,但这是一个障碍.
-
您可以使数据响应晦涩难懂,从而使如何立即解释返回的数据(加扰,加密等)变得不那么明显.同样,这只是一个障碍,不会阻止坚定的黑客对自己的代码解释响应的方式进行逆向工程,但这又是更多工作,妨碍了REST API的临时用户.
很多REST API要做的是要求每个API调用都使用accessKey.您的网页上将内置一个accessKey.任何希望使用您的API(在您的允许下)的外部开发人员都会申请一个accessKey,并将其授予他们(如果您希望他们能够使用您的API).然后,您的服务器仅允许来自批准的accessKeys的访问请求.如果发现对accessKey的恶意使用,则可以在服务器上关闭该accessKey的使用.如果某人违反了您自己网页中的访问密钥,那么您可以更改放置在自己的网页中的访问密钥,并撤销先前访问密钥的特权.显然,一些流氓开发人员可能会不断从您自己的网页中获取accessKey,但是他们必须定期执行此操作才能定期使用您的API.同样,这只是一个坚定/知识渊博的开发人员可以克服的障碍,但这是您对已公开的数据可以做的最好的事情.
仅供参考,这是另一个类似的讨论:如何限制JSON访问?
This question is similar to this one:
Developing API - how to make it secured?
What I want is to develop a jQuery based query against a REST api on my server to retrieve some data for display on a web page.
I want the authorized user of the web page and jQuery to be able to access this data, but don't want others to be able to copy that jQuery and put it on their site to access this data in any way. And to be clear, this is all happening client side in the browser - without any server side code involved...
What is the correct strategy to accomplish this if it is even possible?
I don't want the end user viewing the web page to have to know anything about any of this going on in their browser...
Thanks!
If you don't require your end-user to do any sort of authentication into your site so you can't use that as an auth method and you want your webpage to be able to use the REST API without any other intervention, then there is no foolproof way to secure your REST API. If you want the data in an unauthenticated browser, then anyone can retrieve that data.
Keep in mind also that they could always just run your web page and parse the data out of your web page too so, if no authentication is required to use this web page, the data is already available to the general public. You can't truly secure it without requiring authentication.
There are some things you can try to make it more difficult for people to use your REST API, though none are foolproof. These are only obstacles, not security.
You can put an expiring token into your web page, include that in the web request and then verify it's an unexpired token in the REST API. This prevents someone from just using your REST API directly from another browser page (they won't have a legal token), but doesn't prevent a server from first fetching the host page, retrieving the token and then using it to access the API.
You can try checking the referrer and only fulfill web requests that say that are coming from your domain. This is also not foolproof since the referrer can be spoofed, but it is an obstacle.
You can make the data response obscure so that it's not immediately obvious how to interpret the data that is returned (scrambled, encrypted, etc...). Again, this is just an obstacle that won't prevent a determined hacker from reverse engineering how your own code interprets the response, but it is again more work that gets in the way of casual users of your REST API.
What a lot of REST APIs do is require an accessKey be used with every API call. Your web page would have an accessKey built in. Any outside developer that wishes to use your API (with your permission) applies for an accessKey and you grant it to them (if you want them to be able to use your API). Your server then only allows access requests from approved accessKeys. If you find that there is some rogue use of an accessKey, you can shut down use of that accessKey at your server. If the accesskey in your own web page is being used by someone against your wishes, then you can change the accessKey you put in your own web page and revoke privileges for the previous accessKey. Obviously, some rogue developer could keep grabbing the accessKey out of your own web page, but they would have to do that regularly in order to regularly use your API. Again, it's just an obstacle that can be surmounted by a determined/knowledgeable developer, but it's about the best you can do for data that is already available to the public.
FYI, here's another similar discussion: How to restrict JSON access?
这篇关于如何发布访问REST API的jQuery代码,但是要防止未经授权的使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
