如何保护JavaScript应用程序的API调用？ [英] How can you secure a JavaScript application's API calls?

问题描述

我有一个JavaScript应用程序。

I have a JavaScript application.

它是用jQuery构建的。

It's built with jQuery.

它使用 $。get（）从服务器提取JSON数据，并使用数据加载拼图。

It uses $.get() to pull JSON data from a server, and uses the data to load a puzzle.

我想分发客户端的JavaScript应用程序，并使它们易于安装。

I want to distribute the JavaScript application to clients, and make it easy for them to install.

我希望它只是给它们一个可以放入页面的JavaScript块，它将与我的API进行交互。

I'd like it to simply give them a JavaScript block they can drop into their page, and it will interact with my API.

我没有传递敏感数据，我的API正在保护数据库免受SQL注入等。

I'm not passing sensitive data, any my API is protecting the database from SQL injection, etc.

我只想尝试防止未经授权使用我的API，我想不出用JavaScript做到这一点的方法，因为任何拥有DOM检查员的人都可以从任何变量中删除任何凭据或可以监控任何服务器流量POST或获取数据...

I just want to try to prevent unauthorized use of my API, and I can't think of a way to do that with JavaScript, since anyone with a DOM inspector can scrape any credentials from any variables or can monitor any server traffic POST or GET data...

是否可以在另一方验证推荐人？

Would it be possible to authenticate the referrer on the other side?

我知道这不是防弹的，但它不是敏感的数据。我只想尽可能减少未经授权的使用..

I know that's not bulletproof, but it's not sensitive data. I just want to reduce the unauthorized use as much as possible..

任何想法？

注意：我知道混淆API密钥或其他东西是徒劳的，我想知道除了传统密钥之外我还可以使用什么其他控件来识别API的调用者。我可以完全控制API本身所以我可以做任何事情......

note: I know obfuscating an API key or something is futile, I'm wondering what other controls I could put in place other than a traditional key to identify the caller to the API.. I have full control over the API itself so I could do anything on that side of things...

推荐答案

使用JavaScript，几乎所有的身份验证系统都会有漏洞，只是因为代码直接在浏览器中运行，任何人都可以看到（网络调用也可以）。因此，您可以尝试一些事情，具体取决于您的具体情况。

With JavaScript, just about any authentication system is going to have holes, simply because the code runs directly in the browser and can be seen by anyone (as can the network calls). So there are a couple of things you can try, depending on your situation.

如果您要将此应用程序分发给一小部分客户端，并且您确切地知道他们在哪里将从中访问它，您可以使用IP白名单。这确实是完全保护API的唯一方法。然而，这种方法非常麻烦，因为每个新客户端都需要更新API白名单，并考虑到你在这里谈论的内容可能不是你想要的（但我之所以提到它只是因为它是可能的）。

If you are distributing this application to a small subset of clients, and you know exactly where they will be accessing it from, you could use IP whitelisting. This really is the only way to completely secure the API. However this method is very cumbersome, since with every new client you have to update the API whitelist, and considering what you're talking about here probably not what you're looking for (but I mention it just because it is a possibility).

另一种方法是访问令牌。这是Facebook等网站常用的方法。有两种方法可以做到这一点。一种是给每个客户一个秘密密钥。您可以为每个人提供相同的密钥，但这不是很安全。为每个人提供不同的密钥，不仅可以跟踪使用情况，还可以在必要时撤销访问权限。

Another method is access tokens. This is a common method used by sites such as Facebook. There are two methods to do this. One is to just give each client a secret key. You can have the same secret key for everyone, but this is not very secure. Having a different secret key for everyone allows you to not only track usage, but also revoke access privs if necessary.

访问令牌的第一种方法是将其放入内部JS客户端。但是，这意味着任何查看源代码的人都可以访问您的密钥，并使用它来发出请求。

The first method for access tokens is to just give it inside the JS client. However this means that anyone who looks at the source will be able to access your key, and make requests using it.

第二种方法是将密钥存储在某处在客户端运行的网站的SERVER上。然后，此服务器可以使用该密钥进行服务器到服务器调用，以获取临时会话令牌。人们仍然可以通过前端访问临时会话令牌，但他们必须首先访问此站点才能获得它（这允许您将处理此事务的责任转移给网站运营商）和令牌最终会到期。然而，这意味着需要一些服务器端代码，而应用程序不仅仅是一个拖放的东西。

The second method is to have the secret key stored somewhere on the SERVER of the website where your client runs. This server can then make a server-to-server call using that key to obtain a temporary session token. People will still be able to access the temporary session token via the front-end, but they will have to access this site first in order to get it (this allows you to pass off responsibility for handling this to the website operator) and the token will eventually expire. However this means there needs to be some server-side code, and the app won't just be a drag and drop thing.

对于上面给出的方法，你也可以查看 OAuth 等内容，以避免重新发明轮子。

For the method given above you can also look into things like OAuth, to avoid re-inventing the wheel.

使用IP的另一个可能的事情是设置一个特定IP可以达到白名单的频率或每天多少次的硬性上限。虽然你可能会遇到真正喜欢这些谜题的用户的问题，但这可以防止一些潜在的滥用行为。

Another possible thing using IPs is to set a hard-cap on either how often or how much per day a specific IP can hit the whitelist. Though you may run into problems with users who REALLY like the puzzles, this will prevent some of the potential abuse.

这篇关于如何保护JavaScript应用程序的API调用？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！