如何防止任意客户端应用程序使用匿名 Web API? [英] How to prevent arbitrary client apps from using anonymous web API?

问题描述

抱歉，如果这已经被问到并得到了回答；我环顾四周，但没有找到我要问的内容.

Apologies if this has already been asked and answered; I've looked around a bunch but haven't found exactly what I'm asking.

--

1. 假设我位于 http://example.com/ 的 Web 应用使用私有且未记录的 Web API在 http://api.example.com/ 获取数据，例如通过 XHR 或 JSONP.

1. Suppose my web app at http://example.com/ uses a private and undocumented web API at http://api.example.com/ to fetch data, e.g. via XHR or JSONP.

还假设这个网络应用程序是匿名的 —它不需要用户登录.

Also suppose that this web app is anonymous — it does not require user login.

由于客户端和服务器之间存在通信，任何人都可以打开 Fiddler 等查看确切的请求和响应，更不用说检查客户端 JS 代码了.

Since there's communication between client and server, anyone can open Fiddler, etc. to see the exact request and response, not to mention inspect the client-side JS code.

在这种情况下，您如何防止他人在非网络客户端应用中使用您的 API?例如.iPhone 应用或服务器端.

In a case like this, how can you prevent someone from using your API in a non-web client app? E.g. an iPhone app, or server-side.

据我所知，第 2 点删除了 OAuth 之类的选项，第 3 点删除了例如API 密钥甚至 SSL.

To my understanding, point #2 removes the option of something like OAuth, and point #3 removes the option of e.g. API keys or even SSL.

我曾考虑过在首次加载时注入页面的基于时间的令牌或秘密盐之类的东西，但 iPhone 应用程序可以轻松地在发出 API 请求之前秘密加载您的网页.

I've thought about things like time-based tokens or secret salts that are injected into the page on first load, but an iPhone app could easily just secretly load your webpage before making API requests.

那么除了简单的混淆之外还有什么方法吗?通过默默无闻来确保安全?

So is there any way besides just plain obfuscation — security through obscurity?

--

如果这些都太抽象了，这里有一个简单的例子:

In case all that is too abstract, here's a simple example:

Google.com 通过一些私有且未记录的 API 获取其自动完成数据 —但在网络上打开.是什么阻止我在 iPhone 应用中使用它?

Google.com fetches its auto-complete data via some API that's private and undocumented — but open on the web. What's to stop me from using it in my iPhone app?

推荐答案

您无法阻止人们复制您的客户端代码或重放网络流量.

You can't prevent people from copying your client code or replaying network traffic.

感谢同源政策，其他网络应用无法从客户.他们将不得不通过服务器代理他们的请求，这意味着这些请求将来自少数易于识别的 IP 地址，您可以暂时将其列入黑名单.

Thanks to the same origin policy, other web apps can't access your API from the client. They will have to proxy their requests via the server, meaning these requests will come from a handful of easily identified IP addresses, which you can temporarily blacklist.

对于桌面和移动应用，您无能为力.我的建议是，在它们出现问题之前不要担心它们.

As for desktop and mobile apps, there's not much you can do. My advice is to not worry about them until they're a problem.

也就是说，做好准备并没有什么坏处.如果您想避免昂贵的法律纠纷，您可以做的一件事就是不时更改您的 API 方法签名.渗漏应用可以修复，但其声誉会稳步下降.

That said, it doesn't hurt to be prepared. If you want to avoid expensive legal battles, one thing you can do is change your API method signatures from time to time. Leaching apps can be fixed, but their reputation will steadily decline.

这篇关于如何防止任意客户端应用程序使用匿名 Web API?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！