保护对PHP API的访问 [英] Securing access to PHP API

问题描述

我有一个iPhone应用程序在服务器上使用我的php api，但如果有人知道这个URL，它就会打开。我想确保没有人可以使用这个API，直到我准备将它作为一个公共API（如果我甚至做到的话）。我已经阅读这篇文章，但我不确定他们说的是什么意思：
$ b

在进行REST API调用之前，将一组唯一的数据组合在一起（这通常是所有参数和值打算发送，这是AWS网站上代码片段中的数据参数）

我不明白如果我散列我计划发送的参数与我的api秘密，如果我发送的参数/值未加密，那么这比哈希api秘密更安全。

解决方案

HTTPS API并使用API​​密钥。然后你就会知道只有拥有密钥的人（你在这种情况下）才能访问API。

您对此没有任何担保是正确的。这就是为什么我建议你SSL连接。除非你计划加密所有来回传输的内容。

公钥/私钥方案也可以很好地工作。 HTTPS需要很少的努力。

I have an iPhone app that is using my php api on the server but it is currently open if someone knows the url. I want to make sure that no one can use this API until I am ready to make it a public api (if I even do)

I have read this article but I am unsure what they mean when they say:

[CLIENT] Before making the REST API call, combine a bunch of unique data together (this is typically all the parameters and values you intend on sending, it is the "data" argument in the code snippets on AWS’s site)

I don't understand how if I hash the parameters I plan on sending with my api secret how this is more secure than just hashing the api secret if I send the parameters/values unencrypted.

解决方案

HTTPS the API and use an API key. Then you'll know that only people (you in this case) with the key can have access to the API.

You're correct about it not being more secure. That's why I suggest you SSL the connection. Unless you plan on encrypting everything you transmit back and forth.

The public/private key scenario will also work well. HTTPS requires very minimal effort.

这篇关于保护对PHP API的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！