保护对 PHP API 的访问 [英] Securing access to PHP API

问题描述

我有一个 iPhone 应用程序，它在服务器上使用我的 php api，但如果有人知道 url，它当前是打开的.我想确保没有人可以使用这个 API，直到我准备好将它变成一个公共 API(如果我这样做的话)

I have an iPhone app that is using my php api on the server but it is currently open if someone knows the url. I want to make sure that no one can use this API until I am ready to make it a public api (if I even do)

我已阅读这篇文章但我不确定他们说的是什么意思:

I have read this article but I am unsure what they mean when they say:

[CLIENT] 在进行 REST API 调用之前，将一堆唯一数据组合在一起(这通常是您打算发送的所有参数和值，它是 AWS 站点上代码片段中的数据"参数)

[CLIENT] Before making the REST API call, combine a bunch of unique data together (this is typically all the parameters and values you intend on sending, it is the "data" argument in the code snippets on AWS’s site)

我不明白如果我将计划与我的 api 机密一起发送的参数散列如何比仅散列 api 机密(如果我发送未加密的参数/值)更安全.

I don't understand how if I hash the parameters I plan on sending with my api secret how this is more secure than just hashing the api secret if I send the parameters/values unencrypted.

推荐答案

HTTPS API 并使用 API 密钥.然后您就会知道只有拥有密钥的人(在本例中是您)才能访问 API.

HTTPS the API and use an API key. Then you'll know that only people (you in this case) with the key can have access to the API.

您说的不安全是正确的.这就是为什么我建议您使用 SSL 连接.除非您打算对来回传输的所有内容进行加密.

You're correct about it not being more secure. That's why I suggest you SSL the connection. Unless you plan on encrypting everything you transmit back and forth.

公钥/私钥方案也将运行良好.HTTPS 需要非常最小的努力.

The public/private key scenario will also work well. HTTPS requires very minimal effort.

这篇关于保护对 PHP API 的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！