如何防止任意客户端应用程序使用匿名Web API? [英] How to prevent arbitrary client apps from using anonymous web API?

问题描述

很抱歉，是否已被要求和回答；我环顾了一堆，但没有找到我要问的.

Apologies if this has already been asked and answered; I've looked around a bunch but haven't found exactly what I'm asking.

-

1. 假设我位于 http://example.com/的Web应用使用私有且未记录的Web API在 http://api.example.com/处以获取数据，例如通过XHR或JSONP.

1. Suppose my web app at http://example.com/ uses a private and undocumented web API at http://api.example.com/ to fetch data, e.g. via XHR or JSONP.

还假定此Web应用程序是匿名的—它确实不需要用户登录.

Also suppose that this web app is anonymous — it does not require user login.

由于客户端和服务器之间存在通信，因此任何人都可以打开Fiddler等来查看确切的请求和响应，更不用说检查客户端JS代码了.

Since there's communication between client and server, anyone can open Fiddler, etc. to see the exact request and response, not to mention inspect the client-side JS code.

在这种情况下，如何防止某人在 非网络 客户端应用程序中使用您的API?例如. iPhone应用程序或服务器端.

In a case like this, how can you prevent someone from using your API in a non-web client app? E.g. an iPhone app, or server-side.

据我所知，第2点删除了OAuth之类的选项，而第3点删除了例如OAuth的选项. API密钥甚至SSL.

To my understanding, point #2 removes the option of something like OAuth, and point #3 removes the option of e.g. API keys or even SSL.

我曾经考虑过在首次加载时将基于时间的令牌或秘密盐注入到页面中，但是iPhone应用程序可以轻松地在提出API请求之前秘密地加载您的网页.

I've thought about things like time-based tokens or secret salts that are injected into the page on first load, but an iPhone app could easily just secretly load your webpage before making API requests.

那么，除了简单的混淆之外，还有什么办法吗?默默无闻来保证安全?

So is there any way besides just plain obfuscation — security through obscurity?

-

如果所有内容都太抽象了，这是一个简单的示例:

In case all that is too abstract, here's a simple example:

Google.com通过一些未公开的私有API获取其自动完成数据.但可以在网络上打开.是什么阻止我在iPhone应用程序中使用它?

Google.com fetches its auto-complete data via some API that's private and undocumented — but open on the web. What's to stop me from using it in my iPhone app?

推荐答案

您不能阻止人们复制您的客户端代码或重放网络流量.

You can't prevent people from copying your client code or replaying network traffic.

由于相同来源政策，其他网络应用程序无法从客户.他们将不得不通过服务器代理他们的请求，这意味着这些请求将来自一些易于识别的IP地址，您可以将其暂时列入黑名单.

Thanks to the same origin policy, other web apps can't access your API from the client. They will have to proxy their requests via the server, meaning these requests will come from a handful of easily identified IP addresses, which you can temporarily blacklist.

对于台式机和移动应用程序，您无能为力.我的建议是在问题出现之前不要担心它们.

As for desktop and mobile apps, there's not much you can do. My advice is to not worry about them until they're a problem.

也就是说，做好准备并没有什么坏处.如果要避免昂贵的法律纠纷，您可以做的一件事就是不时更改API方法签名.浸入式应用程序可以修复，但是其声誉将稳步下降.

That said, it doesn't hurt to be prepared. If you want to avoid expensive legal battles, one thing you can do is change your API method signatures from time to time. Leaching apps can be fixed, but their reputation will steadily decline.

这篇关于如何防止任意客户端应用程序使用匿名Web API?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！