速率限制的API有特殊例外 [英] Rate limiting an API with a special exception
问题描述
我有一个消费REST API web应用程序。我想用更广阔的世界共享的API,但在这样做之前,我需要补充率从越野车的客户限制为prevent滥用/高负荷。我想破例为我自己的web应用程序,因此具有更高的极限。
I have a webapp that consumes a REST API. I'd like share the API with the wider world, but before doing so, I need to add rate limiting to prevent abuse / high load from buggy clients. I'd like to make an exception for my own webapp so it has a higher limit.
有没有一种合理的方式做到这一点?不找一个100%防弹的解决方案,但也许事情只是使API多一点很难开采。
Is there a reasonable way to do this? Not looking for a 100% bulletproof solution, but maybe something that just makes the API a little more difficult to exploit.
请记住web应用程序是公开暴露出来,所以我不能只依靠率API令牌限制,因为有人可以只使用同样的道理。
Bear in mind that the webapp is publicly exposed, so I can't just rely on rate limiting by API token, since someone could just use the same token.
推荐答案
由于web应用程序不能隐瞒它的用户,我不认为有一种方法可以保证说你的API的应用程序是你的。
Since a webapp cannot hide anything to its users, I don't think there is a way to ensure that the application talking to your API is yours.
你可以做的一切都是通过隐藏的安全,这是不安全的定义。
Everything you can do is security through obscurity, which is by definition unsecure.
修改
我想有一个解决方案,仍不能保证,但是这将是一个想法。
I would have a solution, still not secure, but that would be an idea.
的第一件事是有两个身份验证系统。
The first thing is to have two authentication system.
- 第三方认证(API令牌)
- 网络应用认证(API令牌+网络令牌)
然后,它有点像你的想法。您生成的为每个HTTP会话的令牌。所不同的是该 Web应用程序(调用这样身份验证)将有一个下限。 (如10K的第三方和1K的Web应用程序)。
为什么你应该减少授权的呼叫数量的原因是因为一个HTTP会话(1人背后)应该产生比第三方应用程序的API调用更少。它是你的情况?
Then it's a bit like your idea. You generate a token for each HTTP session. The difference would be that web app (calls authenticate as such) would have a lower limit. (eg. 10k for 3rd party and 1k for web app). The reason why you should decrease the number of calls authorized is because a single HTTP session (1 person behind it) should generates less API calls than a third party app. Is it your case?
当然,第三方应用程序可以很容易地验证其自身作为一个Web应用程序,但它必须更快速地更新它的会话,因此您可以监控每个IP会话的数目。的要知道,大学和公司往往是一个单一的IP落后很多。的
Of course the third party application could easily authenticate itself as a web app, but then it would have to renew its session more quickly, so you can monitor the number of sessions per IP. Just be aware that universities and companies are often a lot behind a single IP.
这篇关于速率限制的API有特殊例外的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
