如何在我的Electron应用程序中隐藏API密钥? [英] How to hide the API key in my Electron application?

问题描述

我正在构建一个使用Google的YouTube数据API v3的Electron应用程序. 为了访问API，我决定使用标准API密钥(而不是OAuth，因为我不会访问任何个人数据).

I'm building an Electron application that uses Google's YouTube Data API v3. For accessing the API, I decided to use the standard API key (instead of OAuth, since I am not going to be accessing any personal data).

但是问题是，我无法在应用程序中隐藏API密钥，也不能使用引荐来源网址限制(引荐来源限制使您可以过滤哪些网站可以使用API​​密钥(通过HTTP地址))，因为这是电子应用程序.因此，基本上，如果有人查看源代码(甚至只是查看开发人员工具)，他们就能看到密钥并自由使用.

But the problem is, I cannot hide the API key in my app, and I also cannot use referrer restrictions (referrer restrictions allow you to filter which web sites can use your API key (by HTTP address)), since this is an Electron app. So basically, if someone looks at the source code (or even just at the developer tools), they can see the key, and use it freely.

关于做什么的任何建议?谢谢.

Any advice on what to do? Thanks.

推荐答案

为不需要用户注册或登录的应用程序保护API密钥的唯一方法是将其放在服务器代理后面.因此，当他们启动该应用程序时，该应用程序会到达您的服务器，然后服务器返回API密钥，因此它仅以动态形式驻留在该应用程序中，用户永远看不到.

The only way to secure your API key for an application that does not require users to register or log in, is to place it behind a server proxy. So, when they start the app, the app reaches out to your server, the server then returns the API key so it only resides in the app in dynamic form, it is never visible to users.

但是，如果他们使用数据包嗅探器或本地代理来获取您的令牌，这仍然是不安全的.

However, this is still insecure if they use a packet sniffer or local proxy they can grab your token.

最安全的方法是从您的应用有权访问的私有服务器发出所有API请求.因此，该应用程序不会向Youtube发出任何请求，而只会从您的服务器获取数据.

The most secure way to do this is to make all your API requests from a private server that your app has access to. So, the app makes no requests to Youtube, it only gets the data from your server.

然后，您可以通过使用私钥将API请求签名到私有服务器上来保护应用程序的安全.例如，您可能在应用程序中有一个配置文件，该文件带有一个私钥，该私钥在每个API请求的标头中发送.然后，获取密钥的唯一方法是反编译您的应用程序，然后访问该配置文件，然后使用相同的私有信息向私有服务器发出API请求.然后，为防止恶意用户，您可以监视流量并设置请求限制，例如每个应用程序每秒1个请求.任何超过该限制的应用都可能被列为DDOS攻击或恶意用户.

Then, you can secure your app by signing API requests to your private server with a private key. For example, you could have a config file in the app with a private key that is sent in the header of every API request. Then, they only way to get your key would be to decompile your app, and then access that config file, then make API requests to your private server using the same private information. Then, to prevent malicious users, you can monitor traffic and set up request limits, like 1 request per second per app. Any app exceeding that limit could be black-listed as a DDOS attack or a malicious user.

数据流看起来像这样.

    App -> Server (with Api Key) -> youtube (data) -> Server (data) -> App

这篇关于如何在我的Electron应用程序中隐藏API密钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！