隐藏客户端API调用 [英] Hiding client side API calls

问题描述

我当时正在制作一个小型应用程序(.net Web api后端服务和用于前端的angularjs)，只是为了学习这些框架，开始喜欢项目本身，并认为部署它会很好...

I was making a small app (.Net web api backend service and angularjs for frontend) just to learn these frameworks, started to like project itself and thought it would be nice to deploy it...

无论如何，.net rest服务是尽可能公开的，目前任何人都可以通过api对象暴露，并且显然我不希望有人偶尔清除我的数据库.我实际上并没有存储任何敏感信息，这是一个小型的网络游戏，我存储在db中的所有东西都是诸如物品，位置，游戏大厅，玩家(仅id，用户名和参考列)之类的东西，但是仍然删除它们会在某处引起大问题

However thing my .net rest service is as public as it gets, at the moment anyone can crud exposed through api objects and obviously I don't want somebody clearing my database once in a while. I don't really store any sensitive information, it's small web game, all I store in db are things like items, locations, game lobbies, players (only id, username and reference columns), but still deleting them will cause big problems somewhere.

那我该怎么预防呢?我的第一个想法是，只要没人通过隐藏用户的API调用来发现我的api地址，就可以解决该问题.这可能是现实的解决方案吗?

So what how can I prevent this? My first thought is that it would be solved as long as nobody discovers my api address by somehow hiding API calls from user. Is this possible and realistic solution?

推荐答案

您无法从客户端隐藏API调用，无论您做什么，他们始终可以使用像

You cannot hide your API calls from the client, no matter what you do they could always use a packet sniffer like Wireshark to see what your app is doing.

您需要构建一个更安全的API，该API仅允许用户操纵其帐户.您可以通过分配令牌来控制它们的访问，例如 oAuth 的工作方式.

You need to build a safer API that only allows users to manipulate their account. You can control their access by assigning tokens, like the way oAuth works.

这篇关于隐藏客户端API调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！