如何prevent数据刮了宝贵的数据网络服务? [英] How to prevent data-scraping a valuable data web service?
问题描述
我有一个Windows应用商店的应用程序一个好主意。我想使这个应用程序。然而,它需要大量的,有价值的数据库,我需要为使人们无法轻易窃取它创建服务。
我的想法是,也许承载在Azure上(这是我从来没有尝试过)的移动服务,并创建一个.NET的Web API项目采取请求和盘开出的Json像糖果到Windows 8 mvvmclient。但我不希望是有人窃听我的交通来回应用服务,并搞清楚如何使用我的应用程序和服务的GET / POST数据,然后建立自己的应用程序/网站使用我的带宽,以显示此数据使他们的钱。
I have a great idea for a windows store app. I'd like to make this app. However it requires a large and valuable database that I will need to create a service for so that people cannot easily steal it. My thinking is maybe host a mobile service on Azure (which I've never tried) and create a .net Web API project to take requests and dish out Json like candy to a windows 8 mvvmclient. However what I don't want is someone sniffing my traffic back and forth from app to service and figuring out how to get/post data from using my app and service then setting up their own app / website to display this data using my bandwidth to make them money.
我如何保护我的应用程序到数据库的数据访问,因此不能对逆向工程我。
How can I protect my app-to-db data access so it can't be reverse engineered on me.
另外这是一个用于开发高容量Windows 8应用这样的最佳设置吗?你有更好的建议?
Also is this the best setup for developing a high volume windows 8 app like this? Do you have a better suggestion?
我知道我可以使用SSL等,以通信进行加密,并从。我试图保护是有人使用Firebug或提琴手弄清楚哪些参数可以发布到获得一个特定的记录了。然后创建自己的网站,简单地使用我的服务为终点和虹吸管我的数据和妓女我的带宽。 IE浏览器。只需使用Firebug我知道我可以使用 https://www.google.com/search?q=dallas 搜索在谷歌的词达拉斯。即使我加密页面,就可以看到他们的浏览器那么多。所以,如果有人做了同样的GET / POST在自己的应用程序,他们会得到相同的记录背因此利用我的东西。
I know I can use SSL etc to encrypt traffic to and from. What I am trying to protect is someone using Firebug or Fiddler to figure out what parameters can be posted to get a particular record back. Then creating their own site that simply uses my service as the end point and siphons my data and whores my bandwidth. ie. Just using firebug I know I can use https://www.google.com/search?q=dallas to search the word dallas on google. Even if I encrypt the page, they can see that much in their browser. so if someone does the same get/post in their own application they would get the same records back thus using my stuff.
推荐答案
你可以做最简单的事情是为使用类似的 OAuth的。这将允许您以确保在匿名的方式为您服务没有通信发生。
The most straight forward thing you can do is to setup authentication for your users using something like OAuth. This will allow you to ensure no communication happens with your service in an anonymous fashion.
一旦你验证你的要求,你可以放在那些不会影响正常的用户请求的控制。你可以限速,油门请求或任意数量的策略,使其非常昂贵的时候明智地吸走你的数据集的大部分。
Once you have authenticated your requests you can place controls on those requests that won't impact a normal user. You could rate limit or throttle requests or any number of tactics to make it very expensive time wise to siphon off large portions of your data set.
例如,你可以当你注意到从单个IP地址的大量用户聚集的开始阻止请求。你可以把合理的限度上的每个用户(如每分钟10 API调用与限制为50的结果集)。你的想法我敢肯定。
For instance, you can start blocking requests when you notice a large number of users clustering from a single IP address. You could place sensible limits on each user (like 10 API calls per minute with a result set limited to 50). You get the idea I'm sure.
这篇关于如何prevent数据刮了宝贵的数据网络服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
