使用 CORS 保护 API [英] Protect API with CORS
问题描述
我想用 CORS 保护我的 API.我希望我的 API 仅具有来自所选域的调用访问权限.
I would like to protect my API with CORS. I want my API to have call access only from the selected domain.
我正在使用 node.js 和 express,所以我添加到我的项目中:https://github.com/expressjs/cors
I am using node.js and express, so I add to my project: https://github.com/expressjs/cors
和示例代码:
var express = require('express')
var cors = require('cors')
var app = express()
var corsOptions = {
origin: 'http://example.com',
optionsSuccessStatus: 200
}
app.get('/test', cors(corsOptions), function (req, res, next) {
res.json({msg: 'This is CORS-enabled for only example.com.'})
})
但是如果我通过 POSTMAN 从本地主机发出请求,我仍然会从该路由中得到响应.这应该被阻止,并且只适用于来自一个域 (example.com) 的请求.
But if I make a request via POSTMAN from localhost, I still get a response from this routing. This should be blocked and only work for requests from one domain (example.com).
我以前试过:
router.get('/test', cors(corsOptions), function(req, res, next) {
console.log(corsOptions);
res.header("Access-Control-Allow-Origin", "http://www.example.com);
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
res.status(200).send({ work: true });
});
但这也让我从邮递员那里请求...
But this also lets my requests from POSTMAN...
我想要一个只有在我的 example.com 页面和 JavaScript 发送请求时才能引用的 API.
I would like to have an API that can be referenced only if it comes to my example.com page and from there are requests sent by JavaScript.
推荐答案
COR 仅适用于浏览器,因此它不会对在浏览器外部(如 Postman)发出的请求产生任何影响.这是一种需要客户端自己实现CORs保护的技术.
CORs only works from browsers so it will not have any effect on a request made outside a browser like from Postman. It is a technology that requires the client itself to implement the CORs protection.
除非您实施某种身份验证或基于时间的令牌,否则无法阻止 POSTMAN 或任何其他编程访问使用您的 API.这是基于 Web 的 API 的本质.如果它们可以在您的网页中使用,那么其他任何人也可以通过编程方式使用它们.
There is no way to keep POSTMAN or any other programmatic access from using your API unless you implement some sort of authentication or time-based tokens. This is the nature of web-based APIs. If they can be used in your web pages, then anyone else can use them programmatically too.
COR 的目的是防止其他网页从他们自己的网页 Javascript 中使用您的 API.这就是它保护的全部.事实上,如果另一个网站想要从他们的服务器访问您的 API,然后将结果放入他们自己的网页中,他们可以这样做 - COR 根本不限制服务器或浏览器之外的程序访问.
The purpose of CORs is to keep other web pages from using your API from their own web page Javascript. That's ALL it protects. In fact, if another web site wants to access your API from their server and then put results into their own web pages, they can do that - CORs does not restrict server or programmatic access outside a browser at all.
有关保护 API 的一般主题的进一步讨论,请参阅以下参考资料:
For further discussion of the general topic of protecting an API, see these references:
如何发布访问 REST api 的 jQuery 代码,但如何防止未经授权的使用
这篇关于使用 CORS 保护 API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
