如何使用JavaScript时,保护一个API密钥? [英] How to protect an API Key when using JavaScript?
问题描述
所以,我开发一个小应用程序只是为我所用,也许对Git的一个开源项目。我使用的是从ENVATO交易市场的API,并且大家都知道有一些不需要任何按键某些操作,但在同一时间也有一些确实需要。
So, I'm developing a small application just for my own use and perhaps an open source project on Git. I'm using an API from Envato Marketplaces, and as you all know there are some operations that don't require any keys, but in the same time there are some that do require.
我首先做了PHP中的API ENVATO一个很好的API包装,但后来我决定尝试用JavaScript一点点,所以我正在开发用JavaScript同样包装。到目前为止,我有与公众的操作没有问题,但我现在必须使用API密钥。
I first made a nice API wrapper for the Envato API in PHP, but then I decided to experiment a little bit with JavaScript, so I'm developing the same wrapper with JavaScript. So far I have no problems with the public operations, but I now have to use the API Key.
如果有保护JavaScript中的API密钥的方式我的问题是。我不能只是把它放在那里以纯文本格式,因为它可以再由别人谁见code使用。所以,会有其中API仍然是秘密的实现?也许从XHR一个JSON文本文件抓住它?
My question would be if there's a way to protect the API Key in JavaScript. I cannot just put it there in plain text as it can then be used by others who see the code. So would there be an implementation where the API remains secret ? Maybe grabbing it from a JSON text file with XHR ?
推荐答案
简短的回答:没有。
无论你做什么混淆的关键,你还是得把它以使其可在客户端上不知何故,因此将有可能使用外汇进行解压缩。 Firebug的。
What ever you do to obfuscate the key, you still have to send it to make it available on the client somehow, and therefore it will be possible to extract it using fx. Firebug.
即使你设计一个真棒神奇的方式来保持关键的秘密,在某些时候,你将不得不作出实际的API请求,并且它必须从浏览器发送的,攻击者能够读取出从Firebugs净标签纯文本的关键。
Even if you devise an awesome magical way to keep the key secret, at some point you would have to make the actual API-request, and as it would have to be sent from the browser, an attacker would be able to read out the key in plain text from Firebugs net tab.
做的正确的事情是创建一个围绕需要钥匙API调用一个PHP包装,然后调用包装从Javascript。
The right thing to do is to create a PHP wrapper around the API calls that require keys, and then call that wrapper from Javascript.
这篇关于如何使用JavaScript时,保护一个API密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
