限制对REST API的访问 [英] Restricting access to REST API

问题描述

我正在使用REST API为我的应用程序制作一个PHP后端.

I'm making a PHP backend for my application using REST API.

我想阻止其他人的脚本访问我的API.我想到了使用$ _SERVER ['HTTP_REFERER']来避免它们.但是，在什么情况下HTTP_REFERER无法正常工作?，说我们不能依靠它.

I would like to prevent other's script to access my API. I thought of using $_SERVER['HTTP_REFERER'] to avoid them. But, in what situation does the HTTP_REFERER not work?, says we cant rely on that.

还有其他方法可以将我的API限制为仅我的客户端吗?

Is there any other way to restrict my API to only my client?

推荐答案

因此，您可以按照Marcin的建议实现HTTP基本身份验证.或者，您可以按照HQarroum的建议实施OAuth.前者更容易实现.对于HTTP BASIC，来自客户端的请求如下所示:

So, you can implement HTTP basic authentication, as suggested by Marcin. Or, you can implement OAuth as suggsted by HQarroum. The former is much easier to implement. For HTTP BASIC, requests from your client look like this:

.. https://用户名:密码 @ yourbackend.host.com/resource/method/foo/bar ..

.. https://username:password@yourbackend.host.com/resource/method/foo/bar ..

实施HTTP基本身份验证非常简单.在Apache中，请参见此.对于nginx，请参见此.

Implementing HTTP basic auth is very simple. In Apache, see this. For nginx, see this.

关于OAuth，实现的复杂性更高.如果您正在研究OAuth，并且不需要使用不同的范围(访问不同数据级别的授权级别)，那么您应该实施一条两条腿的OAuth流.但是，我确实相信，如果您是受保护资源的唯一使用者，则OAuth可能会过大.

Regarding OAuth, that's a bit more complex of an implementation. If you are looking into OAuth, and you don't have the need for different scopes (levels of authorization to access different levels of data), then you should implement a two-legged OAuth flow. However, I do believe that OAuth may be overkill if you're the only consumer of the protected resources.

我建议在所有情况下都使用SSL(https).

I recommend using SSL (https) in all cases.

关于，
尼尔
http://developer.mashery.com

这篇关于限制对REST API的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！