如何限制JSON访问? [英] How do I restrict JSON access?

问题描述

我有一个Web应用程序，可从我新创建的JSON API中提取数据.

I have a web application that pulls data from my newly created JSON API.

我的静态HTML页面通过JavaScript从静态HTML页面动态调用JSON API.

My static HTML pages dynamically calls the JSON API via JavaScript from the static HTML page.

如何限制对JSON API的访问，以便只有我(我的网站)可以通过它进行调用?

如果有帮助，我的API类似于: http ://example.com/json/?var1 = x& var2 = y& var3 = z ...会根据查询生成相应的JSON.

In case it helps, my API is something like: http://example.com/json/?var1=x&var2=y&var3=z... which generates the appropriate JSON based on the query.

我正在使用PHP生成我的JSON结果...可以限制对JSON API的访问就像检查$_SERVER['HTTP_REFERER']一样简单，以确保仅从我的域而不是远程用户调用该API?

I'm using PHP to generate my JSON results ... can restricting access to the JSON API be as simple as checking the $_SERVER['HTTP_REFERER'] to ensure that the API is only being called from my domain and not a remote user?

推荐答案

限制访问您的域的常用方法是在内容前添加无限运行的内容.

The usual method for restricting access to your domain is prepend the content with something that runs infinitely.

例如:

while(1);{"json": "here"} // google uses this method
for (;;);{"json": "here"} // facebook uses this method

因此，当您通过XMLHttpRequest或仅限于您的域的任何其他方法来获取此信息时，您知道需要解析无限循环.但是，如果是通过脚本节点获取的:

So when you fetch this via XMLHttpRequest or any other method that is restricted solely to your domain, you know that you need to parse out the infinite loop. But if it is fetched via script node:

<script src="http://some.server/secret_api?..."></script>

它将失败，因为脚本将永远不会超出第一条语句.

It will fail because the script will never get beyond the first statement.

这篇关于如何限制JSON访问?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！