是否有一种从客户端脚本执行API请求的安全方法？ [英] Is there a secure way to perform an API request from clientside script?

问题描述

我有一个场景，我的apigateway将变得安全，这是访问所有微服务的条目。



现在我们使用这些API基于Web的应用程序通过进行服务器端调用（使用C＃）。



我们将公开API，移动应用程序，其他Web应用程序或其他服务可以请求他们消耗数据。



有没有一种安全的方法可以从客户端脚本执行API请求，比如javascript？



据我所知，这是不可能的。



期待一些好的建议。热烈欢迎任何进一步的讨论。



我尝试过：



1.我读过很多文章，提到在客户端和API服务器之间使用代理服务器。

2.Hashing信息组合和传入标题。

3。在cookie中存储信息。

解决方案

您是否看过使用JSON Web令牌？ （JWT，也发音为JOT。）这些是保护API调用的行业标准。这是一个很好的简短介绍： JSON Web令牌剖析 - 苏格兰威士忌 [ ^ ]

I have a scenario where my apigateway is going to be made secure, which is the entry to access all micro services.

Right now we use these APIs for web based apps by making server side calls(using C#).

we are going to make the APIs public, where mobile apps, other web apps or other services can request them to consume the data.

Is there a secure way to perform API request from client side script like javascript?

As far as i have come across, it is quite impossible.

Expecting some good suggestions. Any further discussion is warmly welcomed.

What I have tried:

1.I have read across few articles mentioning use of proxy servers in between client and API server.
2.Hashing combination of informations and passing in headers.
3.Storing information in cookies.

解决方案

Have you looked at using JSON Web Tokens? (JWT, also pronounced "JOT".) These are sort of an industry standard for securing API calls. Here's a good short intro: The Anatomy of a JSON Web Token ― Scotch[^]

这篇关于是否有一种从客户端脚本执行API请求的安全方法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！