保护 API 以与 Javascript 小部件一起使用 [英] Securing an API for use with Javascript widget

问题描述

我正在编写一个 javascript 插件，将由博主/网站所有者安装.它将与我的远程 API 通信.

I'm writing a javascript plugin which will be installed by bloggers/website owners. It will communicate with my remote API.

我想知道如何保护 API 以确保只有注册了该服务帐户的用户拥有的域才能从 API 访问资源.我已经阅读了 OAuth2 并了解了基础知识，但由于插件将在浏览器内运行，而不是从服务器到服务器，我不确定这有多安全.

I'm wondering how to secure the API to ensure that only domains owned by users that have registered an account with the service can access resources from the API. I've read up on OAuth2 and understand the basics, but because the plugin will run from within the browser and not from server to server, i'm not sure how secure this can be.

像 mixpanel、google analytics、olark 这样的大量服务都使用相同的概念(即网站所有者在他们的网站上安装一行 JS)，所以它必须是一个已解决的问题.

Tons of services like mixpanel, google analytics, olark use the same concept (i.e. website owner install a line of JS on their site) so it must be a solved problem.

推荐答案

您可以将 window.location 检查插入到您的脚本中，以防止其他人直接从您的服务器中包含它.

You can insert window.location checks into your script to prevent other people from including it directly off of your servers.

但是，不可能阻止人们在本地下载脚本，移除您的保护，然后自行托管.

However, it is impossible to prevent people from downloading the scripts locally, removing your protection, then hosting it themselves.

您可以在所有服务器端请求中要求 API 密钥，但敌人很容易从合法站点窃取 API 密钥.

You can require an API key in all server-side requests, but enemies can easily steal API keys from legitimate sites.

这篇关于保护 API 以与 Javascript 小部件一起使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！