如何限制JSON的访问？ [英] How to restrict JSON access?

问题描述

我有一个从我的新创建的JSON API提取数据的Web应用程序。

I have a web application that pulls data from my newly created JSON api.

我的静态HTML页面调用动态与静态的HTML页面通过JavaScript的JSON API。

My static HTML pages dynamically calls the JSON api via JavaScript from the static HTML page.

如何限制访问我的JSON API，这样只有我（我的网站）可以吗？叫

在情况下，它可以帮助，我的API是一样的东西：<一href=\"http://example.com/json/?var1=x&var2=y&var3=z\">http://example.com/json/?var1=x&var2=y&var3=z...其中根据查询生成适当的JSON

In case it helps, my api is something like: http://example.com/json/?var1=x&var2=y&var3=z... which generates the appropriate JSON based on the query.

我使用PHP生成的json结果...可以限制访问JSON API来为简单地检查 $ _ SERVER ['HTTP_REFERER'] 来确保API只被从我的域调用，而不是一个远程用户？

I'm using PHP to generate my JSON results ... can restricting access to the JSON api be as simply as checking the $_SERVER['HTTP_REFERER'] to ensure that the api is only being called from my domain and not a remote user?

推荐答案

有关限制对您的域名访问的常用方法是prePEND的东西，运行无限的内容。

The usual method for restricting access to your domain is prepend the content with something that runs infinitely.

例如：

while(1);{"json": "here"} // google uses this method
for (;;);{"json": "here"} // facebook uses this method

所以，当你通过XMLHtt prequest也可能是只限于域任何其他方法获取这个，你知道你需要解析出无限循环。但如果是通过脚本节点获取：

So when you fetch this via XMLHttpRequest or any other method that is restricted solely to your domain, you know that you need to parse out the infinite loop. But if it is fetched via script node:

<script src="http://some.server/secret_api?..."></script>

由于该脚本将永远不会超越第一条语句将失败。

It will fail because the script will never get beyond the first statement.

这篇关于如何限制JSON的访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！