API根据用户的IP地址 [英] API based on user IP address

问题描述

我开发了一个API来获取所有数据。

I developed an API to get all the data.

该网站没有一个用户注册系统或任何识别使得对API的调用用户。如果我能识别用户进行调用，每当有人滥用或攻击API我甚至可以禁止他的IP。

The site do not have a user registration system or anything to identify the user making a call to the API. If I could identify the user making the call, whenever someone misuse or attack the API I could even ban his IP.

我想生成基于用户IP或MAC地址的API密钥，但它是安全的这样做？任何其他建议？

I'm thinking of generating an API key based on user IP or MAC address but is it safe to do so? Any other suggestions?

推荐答案

首先，你不会得到最终用户的MAC地址。即使你读传入数据包的MAC地址，你只能得到你的路由器的MAC地址（你肯定不希望禁止！）

First, you won't get the MAC address of the end-user. Even if you read the MAC address of incoming packets, you'll only get the MAC address of your router (which you definitely do not want to ban!)

用户IP地址是pretty容易改变和/或欺骗（恶意软件或混淆，副Javascript中，例如）。阻止那些做出错误的请求仍然是一个不错的主意，但你肯定不希望使用它们进行身份验证。

User IPs are pretty easy to change and/or spoof (malware or confused-deputy Javascript, for example). Blocking those that make bad requests is still a good idea, but you definitely don't want to use them for authentication.

您应该考虑（路径，标题等）攻击者控制的输入，绝对不能仅依据信息的认证决策所载HTTP请求pretty太多的一切。

You should consider pretty much everything in an HTTP request (path, headers, and so on) attacker-controlled input and definitely not make authentication decisions based solely on information contained therein.

您提到您有一个PHP后端。为什么不建立一个系统通过生成API密钥？

You mention you have a PHP backend. Why not build a system to generate API keys through that?

这篇关于API根据用户的IP地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！