保护一个API，使用JavaScript控件使用 [英] Securing an API for use with Javascript widget

问题描述

我在写这将通过博客/网站所有者可以安装一个javascript插件。它将与我的远程API沟通。

I'm writing a javascript plugin which will be installed by bloggers/website owners. It will communicate with my remote API.

我不知道如何保护API，以确保只有通过域名已经注册了一个账号的服务可从API访问资源的用户所拥有。我已经在读的OAuth2和了解的基础知识，但由于该插件会在浏览器中，而不是从服务器到服务器的运行，我不知道如何安全这个就可以了。

I'm wondering how to secure the API to ensure that only domains owned by users that have registered an account with the service can access resources from the API. I've read up on OAuth2 and understand the basics, but because the plugin will run from within the browser and not from server to server, i'm not sure how secure this can be.

像mixpanel，谷歌分析，olark使用相同的概念（即网站所有者在其网站上安装一个线JS的），所以它必须是一个解决的问题的服务吨。

Tons of services like mixpanel, google analytics, olark use the same concept (i.e. website owner install a line of JS on their site) so it must be a solved problem.

推荐答案

您可以插入 window.location的检查到您的脚本，包括它prevent其他人直接关闭服务器。

You can insert window.location checks into your script to prevent other people from including it directly off of your servers.

然而，这是不可能的prevent人下载本地脚本，删除你的保护，那么收留了它自己。

However, it is impossible to prevent people from downloading the scripts locally, removing your protection, then hosting it themselves.

您可以要求所有服务器端请求的API密钥，但敌人可以轻易地从合法网站窃取API密钥。

You can require an API key in all server-side requests, but enemies can easily steal API keys from legitimate sites.

这篇关于保护一个API，使用JavaScript控件使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！