YouTube API密钥安全 - 我应该多担心? [英] YouTube API Key Security - How worried should I be?
问题描述
我正准备推出使用YouTube V3 API的Angular / Node网络应用程序。该应用程序在大约3周前发布,作为市场验证的测试版,在测试版中非常成功。它不会取得商业上的成功,只是一个有趣的应用程序,让人们的生活更轻松一点。我有一个问题/疑虑,我应该隐藏我的YouTube V3 API密钥,客户端ID和范围吗?或者我可以假设,因为只有我的域名被列入白名单,潜在的黑客/尝试使用API密钥的人将无法拨打电话或造成任何损害,因此我无需担心?
I'm getting ready to launch an Angular/Node web application which uses the YouTube V3 API. The app was released about 3 weeks ago as a "beta version" for market validation and was pretty successful in beta. It's not going to be a commercial success, just a fun app that makes peoples lives a little bit easier. I have one issue/concern, should I be hiding my YouTube V3 API key, client id, and scopes? Or can I assume that since only my domain name is whitelisted, that the potential hackers/people who try to use the API key, won't be able to make any calls or do any damage so therefore I have nothing to worry about?
这些是我担心的具体电话(不是真正的ids /键)
These are the specific calls I'm worried about (not the real ids/keys)
Index.html脚本标签
Index.html Script Tag
var OAUTH2_CLIENT_ID ='_#H#RJHWEJFHEFUIEHFUHEFHEJFU.apps.googleusercontent.com';
var OAUTH2_SCOPES = ['https://www.googleapis.com/auth/youtube'];
在Angular中,Controller.js
In Angular, Controller.js
.value('google_api_key', 'jfasdkjfdnstnewurweqjtndi')
gapi.client.setApiKey(google_api_key);
推荐答案
对于简单访问到Google API,API密钥是请求所需的唯一凭据,它是一个您的应用/项目的唯一标识符。它提供API访问权限并受配额限制。
For Simple Access to Google APIs, API key is the only credential required for the request, and it is a unique identifier of your app/project. It provides API access and is subject to quotas.
你应该保守秘密!
如果您有一个仅限客户端的应用程序(没有服务器),请使用 OAuth 2.0客户端流程
If you have a client-side-only app (without a server), then use OAuth 2.0 Client-side Flow
安全使用API密钥的最佳做法:
在应用程序中使用API密钥时,请注意保护它们的安全。公开泄露您的凭据可能会导致您的帐户遭到入侵,这可能会导致您的帐户产生意外费用。为确保您的API密钥安全,请遵循以下最佳做法:
When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:
-
不要直接在代码中嵌入API密钥
嵌入代码中的API密钥可能会意外地暴露给公众 - 例如,如果您忘记从共享的代码中删除密钥。不要将API密钥嵌入应用程序中,而是将它们存储在环境变量或应用程序源树之外的文件中。
API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.
不要存储API应用程序源代码树中文件中的键
如果将API密钥存储在文件中,请将文件保留在应用程序源代码树之外,以帮助确保密钥不在最终进入您的源代码控制系统。如果您使用公共源代码管理系统(如GitHub),这一点尤为重要。
If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub.
限制您的API密钥仅供IP地址使用,引荐来源网址和需要它们的移动应用
通过限制可以使用每个密钥的IP地址,引荐来源网址和移动应用,您可以减少受损API密钥的影响。您可以通过打开凭据页面,然后使用所需设置创建新的API密钥,或者编辑API密钥的设置,指定可以使用Google Developers Console中每个密钥的主机和应用。
By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the Google Developers Console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.
删除不需要的API密钥
要最大限度地减少您的攻击风险,请删除所有API密钥您不再需要。
To minimize your exposure to attack, delete any API keys that you no longer need.
定期重新生成您的API密钥
您可以通过打开凭据页面并单击每个键的重新生成密钥,从Google Developers Console重新生成API密钥。然后,更新您的应用程序以使用新生成的密钥。生成替换密钥后,旧密钥将继续工作24小时。
You can regenerate API keys from the Google Developers Console by opening the Credentials page and clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys.
在公开发布之前查看代码
在公开代码之前,请确保您的代码不包含API密钥或任何其他私人信息。
Ensure that your code does not contain API keys or any other private information before you make your code publicly available.
这篇关于YouTube API密钥安全 - 我应该多担心?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
