如何防止对我的Laravel/Lumen API的自动请求? [英] How to prevent automated requests to my Laravel/Lumen api?
问题描述
因此,我打算将后端与前端完全分开.我正在学习Laravel/Lumen API,我打算以JSON格式返回数据库数据,供前端开发人员使用.
So, I intend to completely separate my back-end from my front-end. I am learning about Laravel/Lumen API and I intend to return my database data in JSON format to be used by my front-end developers.
我已经阅读了Stack Overflow上的几个类似主题,并观看了一些YouTube视频.他们中的大多数建议我应该为授权"生成令牌.用户.但是,问题是我的项目没有登录系统.我所有的用户都是访客用户.因此,我不能先授权一个人,然后为他们生成令牌.
I have read several similar threads on Stack Overflow and watched some YouTube videos. Most of them suggested that I should generate a token for "authorized" users. However, the problem is that my project does not have a login system. All of my users are guest users. So, I can't first authorize a person and then generate a token for them.
据我了解(可能存在缺陷),Laravel API遵循RESTful系统.因此,它是无状态的,我不能使用CSRF令牌来检查请求是否来自已提交的表单,并且它不是自动的.那么,我还有什么其他选择?
From what I have understood (which could be flawed), Laravel API follows a RESTful system. So, it is stateless and I can't use CSRF token to check if a request comes from a submitted form and it is not automated. So, what other options do I have?
我想将自动请求与来自表单的请求分开的原因是,有时我必须对某些请求进行繁重的处理,而我不希望自动脚本发送大量请求并引起DOS攻击.
The reason that I want to separate automated requests from requests coming from forms is that sometimes I have to do heavy processing on some requests and I don't want an automated script to send mass requests and causes a DOS attack.
感谢您的帮助.
推荐答案
速率限制可以帮助阻止自动脚本.Laravel默认通过Throttle中间件实现了这一点.默认油门为60:1,油门:60,1 ,如果在1分钟内注册60次尝试,则转换为油门.
Rate limiting can help prevent automated scripts. Laravel has this implemented by default via the Throttle middleware. Default throttle is 60:1, throttle:60,1, translating to throttle if 60 attempts are registered within 1 minute.
此中间件适用于所有路由,但是,您可以为单个路由覆盖此中间件,并为尝试次数和时间定义自定义值.根据文档改编的以下示例将在1分钟内尝试30次的情况下配置为节流的路线:
This middleware is applied to all routes, however, you can override this for individual routes and define custom values for number of attempts and time. Following example adapted from documentation configures the route to throttle if there's 30 attempts within 1 minute:
Route::middleware('auth:api', 'throttle:30,1')->group(function () {
Route::get('/user', function () {
//
});
});
还有其他配置选项,请确实参考文档以获取更多信息.
There are other configuration options, please do refer to the documentation for more information on that.
https://laravel.com/docs/7.x/routing#rate-limiting
Laravel如何检查来宾用户是否发送了过多请求?
How does Laravel check that a guest user has sent too many requests?
从最基本的角度讲,Laravel跟踪应用程序缓存中特定IP在特定端点/域上的点击.请求域和IP用作缓存键.每次命中一个端点时,存储在缓存中的尝试次数都不会增加.如果尝试次数未达到在路由上应用的
In very basic terms, Laravel keeps track of hits on a particular endpoint/domain by a particular IP in the application cache. The request domain and the IP are used as the cache key. Every time an endpoint is hit, no of attempts, stored in the cache, is incremented. If the no of attempts reaches the maximum number of allowed attempts within the time window specified in the throttle config applied on the route, that IP will be locked out for a while.
如果时间窗口中没有新匹配,尝试将自动清除.
Attempts are automatically cleared if there's no new hit in the time window.
这篇关于如何防止对我的Laravel/Lumen API的自动请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
