如何在Angular 2客户端应用程序中隐藏/保护API密钥? [英] How to hide/secure API keys in an Angular 2 client side application?
问题描述
我正在开发Angular 2应用程序.我正在通过服务进行几次API调用,但是我不想发布密钥.
I am developing an Angular 2 application. I am making several API calls from my service, but I don't want to publish the keys.
我知道从后端使用密钥是首选方法,但是肯定有一种从前端进行加密的方法.
I know that using the keys from the backend is the preferred method, but surely there must be a way to do this from the frontend.
我一直在研究如何有效地将API密钥隐藏在前端中,但是没有找到任何很好的解释方法.
I have been researching how to effectively hide the API keys in the frontend, but have not found any well-explained resources on how to do so.
做到这一点的最佳方法是什么?
What is the best way to do this?
推荐答案
好吧,事实是,发送给客户端的任何内容都可以进行反向工程,包括HTTP调用中使用的信息.在URL中具有API密钥本身将不会被掩盖.如前所述,将其完全隐藏于客户端的唯一真实方法是将其保留在后端.您所能做的就是使跟踪变得困难,例如在环境变量中提供加密,并在发送之前让您的应用解密,但仍将以纯文本形式存在于HTTP调用中.
Well, the truth is that anything sent down to the client, including info used in HTTP calls, can be reverse engineered. Having an API key in a URL will by its own nature not be able to be obscured. The only true way to hide this completely from the client is to keep it on the backend, as you've mentioned. The most you can do is make it difficult to trace, like providing it encrypted in an environment variable and having your app decrypt it before sending, but it's still going to be in the HTTP call in plain text.
好消息是,您在注释中提到的API是 public API,因此实际上不需要隐藏它们.他们提供的信息首先是公开的,如果有人真的想要一个API密钥,他们可以只注册一个.密钥主要由服务本身用来跟踪使用情况(因此,窃取它不会带来任何好处,因为使用情况只会增加并且用尽更快).如果您确实购买了一种服务,但该服务本身未提供混淆方法(即会话跟踪/Cookie),则必须通过后端缓解这种情况.
The good news is that the APIs you've mentioned in your comments are public APIs, so there is really no need to hide them. The information they provide is public to begin with, and if anyone really wanted an API key they could just sign up for one. The keys are mostly used by the services themselves to track usage (so stealing it would have no benefit, as usage would just increase and run out more quickly). If you do end up buying one and the service does not offer obfuscation methods themselves (i.e. session tracking / cookies), you'd have to mitigate it through your backend.
您的头在正确的位置,但是在这种情况下,这似乎不是必需的步骤.
Your head is in the right place, but in this case it doesn't seem like a necessary step.
这篇关于如何在Angular 2客户端应用程序中隐藏/保护API密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
