你怎么能使用您的匿名Web API prevent任意客户端应用程序？ [英] How can you prevent arbitrary client apps from using your anonymous web API?

问题描述

道歉，如果这已经提出和回答;我看了看周围一群，但还没有发现我在问什么。

Apologies if this has already been asked and answered; I've looked around a bunch but haven't found exactly what I'm asking.

-

1. 假如我的web应用程序在 http://example.com/ 在的http://api.example.com/ 获取数据，如通过XHR或JSONP。

1. Suppose my web app at http://example.com/ uses a private and undocumented web API at http://api.example.com/ to fetch data, e.g. via XHR or JSONP.

另外，假定这个Web应用程序是匿名的＆MDASH;它的不的要求用户登录。

Also suppose that this web app is anonymous — it does not require user login.

由于有客户端和服务器之间的通信，任何人都可以打开Fiddler等，看看具体的请求和响应，更不用说检查客户端JS code。

Since there's communication between client and server, anyone can open Fiddler, etc. to see the exact request and response, not to mention inspect the client-side JS code.

在这样的情况下，你怎么从一个的非Web 的客户端应用程序使用API​​ prevent人吗？例如。一个iPhone应用程序，或服务器端。

In a case like this, how can you prevent someone from using your API in a non-web client app? E.g. an iPhone app, or server-side.

据我了解，点＃2去掉了类似的OAuth的选项，点＃3去除的例如选择API密钥，甚至SSL。

To my understanding, point #2 removes the option of something like OAuth, and point #3 removes the option of e.g. API keys or even SSL.

我想过基于时间段的令牌或秘密的盐的东西，注入第一次加载页面，而是一个iPhone应用程序可以进行API请求之前轻松只是偷偷加载网页。

I've thought about things like time-based tokens or secret salts that are injected into the page on first load, but an iPhone app could easily just secretly load your webpage before making API requests.

那么，有没有除了只是简单的混淆和MDASH任何方式;通过隐藏的安全？

So is there any way besides just plain obfuscation — security through obscurity?

-

在所有的过于抽象的情况下，这里有一个简单的例子：

In case all that is too abstract, here's a simple example:

Google.com通过某些API那是私人和无证＆MDASH取其自动完成的数据;但在网络上公开。什么是在我的iPhone应用程序使用它阻止我？

Google.com fetches its auto-complete data via some API that's private and undocumented — but open on the web. What's to stop me from using it in my iPhone app?

推荐答案

您不能prevent人复制你的客户端code或重放网络流量。

You can't prevent people from copying your client code or replaying network traffic.

感谢同源策略，其他Web应用程序不能从访问API客户。他们将通过服务器能够代理他们的要求，这意味着这些请求将来自少数易于识别的IP地址，你可以暂时列入黑名单。

Thanks to the same origin policy, other web apps can't access your API from the client. They will have to proxy their requests via the server, meaning these requests will come from a handful of easily identified IP addresses, which you can temporarily blacklist.

至于桌面和移动应用程序，有没有什么可以做。我的建议是，直到他们的问题不用担心他们。

As for desktop and mobile apps, there's not much you can do. My advice is to not worry about them until they're a problem.

这是说，它不会伤害是prepared。如果你想避免昂贵的法律纠纷，有一件事你可以做的是改变你的API方法签名不时。浸出的应用程序可以是固定的，但他们的声誉将稳步下降。

That said, it doesn't hurt to be prepared. If you want to avoid expensive legal battles, one thing you can do is change your API method signatures from time to time. Leaching apps can be fixed, but their reputation will steadily decline.

这篇关于你怎么能使用您的匿名Web API prevent任意客户端应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！