仅允许某些网站访问PHP API [英] Only allowing certain websites access PHP API
问题描述
我目前面临着保护客户在其网站上使用的API的问题.但是,由于此API是由JavaScript调用的,因此我发现很难找到一种仅允许这些人访问API/URL的方法.
I am currently facing the problem of securing up an API my clients use on their websites. However because this API is called by JavaScript I'm finding it hard to figure out a way to only allow these access the API/URL's.
那么我将如何处理呢?我将如何只允许访问这些链接.显然,链接可能会遭到破坏,但是如果它不是来自经过验证的站点,我想有一种方法来拒绝脚本运行.我所能想到的ATM是Refererer标头,众所周知,它可以被伪造.有没有办法可以跟踪请求的来源?如果是这样,怎么办?因为这样我就可以检查请求的来源,如果它不是允许的来源,则只需发出403 Forbidden.
So how would I go about this? How would I only allow access to these links. Obviously the links could be compromised but I would like to have a way to deny the script from operating if it hasn't come from an verified site. ATM all I can think of using is the Referrer header which as we all know, can be faked. Is there a way I can trace the source of the request? If so, how? Because then I could just check the source of the request and if it isn't an allowed source then just issue a 403 Forbidden.
谢谢.如果您需要更多信息,请随时提问!
Thanks. If you need any more information please feel free to ask!
推荐答案
我个人将构建一个数据库表,该表列出了您要允许的网址以及每个网址的唯一键,例如
Personally I would build a database table which listed the urls that you want to allow and also a unique key for each of them something like
url = http://stackoverflow.com
key = 9fc4c60c2f6b9aaba3a640e5e4b9bc4d
key = 9fc4c60c2f6b9aaba3a640e5e4b9bc4d
然后使用基本身份验证对您的呼叫进行身份验证,并检查身份验证标头以匹配每次访问的网址和密钥.
Then use basic auth to authenticate your calls and check the auth headers to match both the url and the key of every access.
这显然取决于您构建API的方式,但是作为一个提示 Slim PHP Framework 是一个很棒的工具并具有非常好的基本身份验证中间件
This obviously depends on how you have built your API but as a tip Slim PHP Framework is a great tool and has a really nice basic auth middleware
另一种方法是拥有一个php文件,该文件包含所有允许的站点的数组,然后为每个调用检查该数组.
The other way is to have a php file which holds an array of all of your allowed sites and then check through this array for each call.
这篇关于仅允许某些网站访问PHP API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
