处理来自前端的API调用的最佳方法 [英] Best way to handle API calls from frontend
问题描述
好的,所以atm我有一个使用Nuxt JS构建的前端应用程序,它使用Axios向我的REST API(单独)发出请求.
Okay, so atm i have a frontend application built with Nuxt JS using Axios to do requests to my REST API(separate).
如果用户在网站上进行搜索,则API URL在XMLHttprequests中可见,因此每个人都可以使用该API.
If a user does a search on the website the API URL is visible in XMLHttprequests so everyone could use the API if they want to.
什么是最好的制作方法,以便只有通过我的网站进行搜索的用户才能访问API,而直接访问URL的人将被拒绝.我想使用某种令牌系统,但是最好的方法是什么?智威汤逊?(用户从不登录,因此没有身份验证")
What is the best way of making it so that only users that search through my website gets access to the API and people that just directly to the URL gets denied. I suppose using some sort of token system, but what is the best way to do it? JWT? (Users never log in so there is no "authentication")
谢谢!
推荐答案
- IMO,您不能阻止其他非法客户访问您的后端,因为您描述官方客户和其他非法客户端对您的后端具有相同的知识.
- 但是您可以通过诸如 POST所有请求 , 标头中的特殊键 , 标头中更改了30分钟的令牌 和 服务器端API按客户端IP进行限制 .
- 如果搜索API的安全性确实很重要,请通过登录进行身份验证;如果不是,请放手,因为它不在您的关键路径中.让我们专注于其他重要的事情.
- IMO, you CANNOT block other illegal clients accessing your backend as you describe that the official client and other illegal have the same knowledge about your backend.
- But you can make it harder for illegal clients to accessing your backend through some approach such as POST all requests, special keys in header, 30-minutes-changed token in header and server-side API throttling by client IP.
- If the security of the search API is really important, authenticate it by login; if not, just let it go since it is not in your critical path. Let's focus on other important things.
这篇关于处理来自前端的API调用的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
