如何保护API Flask，以便仅用于我的前端应用程序? [英] How do I secure API flask in order to be only consumed for my frontend app?

问题描述

我使用flask_restjsonapi创建了一个API，我想集成该API，使其只能与未来的reactjs前端一起使用(该应用程序是电子商务，该API是代表应用程序数据层的后端).我希望用户可以未经授权(作为来宾)访问产品数据，但是肯定需要记录该数据以访问付款视图或购买商品.那我怎么能得到这个呢?Oauth(流类型)，基本身份验证，Cookie.我应该遵循哪些步骤?

I created an API using flask_restjsonapi, I want to integrate the API where it can only work with my future reactjs frontend(the application is an E-commerce, the API is the backend which is representing the app datalayer). I expect that a user could access the products data without being authorized (as a guest), but it certainly needs to be logged to access to a pay view or for buying something. So how could I get this? Oauth (which flow type), basic authentication, cookies. Which steps do I follow?

PS:我对Reactjs和API安全性感到很陌生.

PS: I'm kind of new in Reactjs and API security.

推荐答案

首先，不要实现您自己的安全性(我不认为您希望这样做是为了完整性).

First of all, do not implement your own security (I do not think you indent to do that reading your question, this is for completeness).

然后，首先阅读 OWASP REST安全备忘单.它将为您提供准备工作的概述.

Then start by reading the OWASP REST Security Cheat Sheet. It will give you an overview of what to be ready for.

一旦您了解了各种元素的用途，就可以使用适合您的语言的库来实现它们.同样，不要尝试发布自己的版本-库将更快，更安全.

Once you understand what the various elements are for, implement them using a library for your language. Again, do not try to roll your own version - libraries will be way faster and way, way more secure.

我想在只能与我未来的reactjs前端一起使用的API上进行集成

I want to integrate the API where it can only work with my future reactjs frontend

这是不可能的(仅 部分).如果您有API，只要知道如何执行操作，任何人都可以连接到它.请勿尝试将其保密(这称为通过混淆处理的安全性" ，它可能有用也可能不是有用的主意，但绝对不会单独使用安全解决方案)

This is not possible (the only part). If you have an API, anything can connect to it if it knows how to do that. Do not try to make it a secret (this is called "security by obfuscation" which may or may not be a useful idea, but certainly never a security solution on its own)

这篇关于如何保护API Flask，以便仅用于我的前端应用程序?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！