有哪些可用于保护webapis的选项 [英] What are the available options for securing webapis
问题描述
我正在开发一个Web应用程序,我需要从第三方供应商处提取数据。有为此编写的REST API将从第三方提取数据。
我的问题是:我如何保护这些电话?我的意思是,如果有人可以获得端点然后他/她将获得数据,我想阻止这一点。
一个答案可能是使用身份验证和授权,在这里,我将首先发送用户凭证,并在成功验证后,将返回一个令牌,此标记将在标题中的每个后续请求中传递。
我有一个问题:如果我必须在标头中的每个请求中传递令牌,那么我也可以在每个请求中传递凭据。然后需要进行身份验证,我可以轻松地在每个请求的头中传递凭据并进行身份验证。
此外,如果有人可以回答保护此类API调用的其他可用选项
谢谢
我尝试了什么:
如果我必须在标题中的每个请求中传递令牌,那么我也可以通过每个请求传递凭据。然后需要进行身份验证,我可以轻松地在每个请求的头中传递凭据并进行身份验证。
I am working on a web application where I need to pull data from a third party vendor. There are REST APIs written for this which will pull data from the third party.
My Question is: How can i secure these calls? I mean if anyone can get the endpoint then he/she will get the data, I want to prevent this.
one answer could be using authentication and authorization, here I will first send the user credentials and upon successful validation, a token will be returned and this token will be passed in every subsequent request in header.
I have a question in this: IF i have to pass the token in every request in header then i can also pass credentials with every request. Then what is the need for authentication, I can easily pass credentials in header with every request and authenticate.
ALSO, If someone can answer what are the other available options for securing such API calls
Thanks
What I have tried:
IF i have to pass the token in every request in header then i can also pass credentials with every request. Then what is the need for authentication, I can easily pass credentials in header with every request and authenticate.
推荐答案
如果您在每个请求中传递凭据,则表示服务器每次都必须重新验证这些凭据。鉴于验证凭证在处理器周期和I / O方面不是免费的,这可能不是一个可行的解决方案,具体取决于服务器必须处理的总费用。
而令牌是构造的从成功的身份验证,并确保给定的客户端已经通过身份验证过程。它可以节省资源和时间,而不会影响应用程序的安全性。
If you pass credentials at each request, then it means that the server would have to re-validate these credentials each time. Given that validating credentials is not free in terms of processor cycles and I/O, that may not be a viable solution, depending on the total charge which the server has to handle.
Whereas the token is constructed from a successful authentication and ensures that a given client has already passed the authentication process. It saves resources and time without compromising the security of your application.
这篇关于有哪些可用于保护webapis的选项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!