没有基于登录的身份验证，有没有办法保护API? [英] Is there a way to secure an API without login based authentication?

问题描述

我目前正在为网站开发API，但是该网站不需要登录即可使用，因此该API必须在没有个人用户身份验证的情况下工作.目的是防止第三方使用该API.

I'm currently developing an API for a website, but the website doesn't require logging in to use, so the API has to work without individual user authentication. The goal is to prevent the API from being used by a 3rd party.

有没有一种方法可以保护API仅在我的网站上使用，而无需使用登录身份验证来防止第三方调用后端服务.

Is there a way to protect the API to only be used by my website, without using login authentication to prevent 3rd parties from calling the backend service.

我研究了CORS，但这似乎不是一个有力的保证.另一个想法是旋转API密钥.在这些情况下通常使用什么?

I've looked into CORS, but it doesn't seem like a strong guarantee. Another thought was a rotating API key. What is usually used in these situations?

推荐答案

在加载网站时，请在客户端中设置唯一令牌.将所有请求中的唯一令牌发送到服务器，这可以帮助您确定客户端是否正在访问API.

When your website is loaded, set a unique token in your client. Send this unique token in all your requests to your server which can help you identify whether the API is being accessed by your client.

用户不必登录，但是在这种情况下，您可以设置一个令牌，类似于API密钥身份验证类型.

User doesn't have to login, but you set a token in this case, which is similar to API Key authentication type.

这篇关于没有基于登录的身份验证，有没有办法保护API?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！