保护我的 API [英] Protecting my API

问题描述

我已经基于我的 API 创建了一个网站 - 这样我的前端就可以使用简单的 REST API 与后端分离(前端是纯 javascript/html).

I've created a website based on my API - so that my FrontEnd is decoupled from the backend using a simple REST API (frontend is pure javascript/html).

我想保护 API 不被其他人使用 - 这样调用就可以单独来自网站(或者可能允许其他特定网站使用它).

I would like to protect the API from usage by anyone else - so that the calls can come from the website alone (or maybe allow other specific websites to use it).

目前，如果有人使用 curl，他将能够非常轻松地抓取 API.

For now, if anyone would use curl he will be able to scrape the API very easily.

假设前端仅为 JS/Html，我如何保护 API，以便来自我自己页面的合法调用有效，但来自第三方的 curl 等无效?

How can I protect the API assuming the FrontEnd is JS/Html only, so that legitimate calls from my own pages work but curl and such from third parties do not?

推荐答案

这个问题可能不适合 SO，因为可能有多个同样有效的答案.

This question may not be a good fit for SO, as there can be multiple equally-valid answers.

但一种方法是使用 SSL、用户身份验证和令牌.这是一个纲要:

But one way to do this would be to use SSL, user authentication, and tokens. Here's a rundown:

1. 对使用 API 的页面使用 SSL.
2. 当从您的网站新请求一个页面时，您将返回一个允许用户登录的令牌，没有其他任何内容.该令牌与您服务器上的请求 IP 地址相关联，并且只能用于来自该 IP 地址的请求，并且只能用于登录.
3. 当用户登录时，您会为他们提供一个与他们的用户帐户和 IP 地址相关联的新令牌.必须使用该令牌并从该 IP 地址发出所有后续请求.
4. 将可以使用该令牌进行的 API 调用限制为该用户帐户必须能够使用的那些调用.换句话说，默认拒绝.
5. 在您认为合适的不活动时间间隔之后，使令牌(在服务器上)超时.
6. 将请求的速率限制为对使用您的应用程序的实际用户来说合理的速率.
7. 广泛使用您的日志来确定典型活动的模式，以便识别非典型活动并阻止它.
8. 这可能是显而易见的，但要确保令牌难以预测(例如，不是稳步增加的数字)并且难以欺骗.尽管 IP 地址/令牌链接保存在服务器端，但您仍然不想让潜在黑客的生活变得轻松.

1. Use SSL for the pages that use the API.
2. When a page is freshly-requested from your site, you return it with a token that allows user login and nothing else. That token is associated with the requesting IP address on your server and can only be used with requests from that IP address, and only for logging in.
3. When the user logs in, you give them a new token that's associated with their user account and IP address. All subsequent requests must be made using that token, and from that IP address.
4. Limit the API calls that can be made with that token to only those that that user account must be able to use. Default deny, in other words.
5. Time-out the tokens (on the server) after whatever interval of inactivity seems appropriate to you.
6. Rate-limit requests to a rate that is reasonable for an actual human being using your application.
7. Make extensive use of your logs to determine patterns of typical activity, so you can identify atypical activity and block it.
8. This may be obvious, but make sure the tokens are hard to predict (not a steadily-increasing number, for instance) and hard to spoof. Although the IP address/token link is held server-side, you still don't want to make life easy for potential hackers.

其中的用户身份验证部分很重要，因为否则，虽然您可以很安全地免受远程黑客攻击(因为 SSL)，但黑客使用浏览器访问您的网站以便他/她可以获得然后令牌可以使用 curl 或类似他/她的心的内容与该令牌.因此，如果有人正在挖掘您的网站，您至少希望了解他们可能是谁(您的用户身份验证)，以便您可以阻止他们.

The user authentication part of that is important, because otherwise, while you'd be pretty safe from remote hacking (because of the SSL), a hacker who uses a browser to go to your site so he/she can get the token can then use curl or similar to his/her heart's content with that token. So if someone is mining your site, you at least want to have some clue who they might be (your user authentication) so you can get them to stop.

这篇关于保护我的 API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！