API安全：如何限制通过域访问？ [英] API Security: how to restrict access by domain?

问题描述

我露出一个简单的API，并需要确保只有授权的用户访问它。我将提供API密钥验证。不过，我也想API密钥某个域关联（意思是，如果它正在从授权域使用它应该只工作）。

I'm exposing a simple API and need to make sure only authorized users access it. I will be providing an API key to authenticate. However, I also want to associate the API key to a certain domain (meaning, it should only work if it's being used from the authorized domain(s)).

我如何在API一边检查是否正在从授权的域名访问？ HTTP_REFERER显然是不可靠的。建议？

How do I check on the API side if it is being accessed from an authorized domain? HTTP_REFERER apparently is not reliable. Suggestions?

推荐答案

您揭露什么样的API？有许多不同类型的API - 我想你不要暴露你的操作系统的API ...

What kind of API are you exposing? There are many different kinds of APIs - I assume you do not expose your operating system's API...

假设你想揭露一些 Web应用程序的API ，您可以看看 的OAuth <这是基于回调的URL / STRONG> - 你可以从刚刚通过回调URL被称为阻止某些域

Assuming you want to expose some web application's API, you may take a look at OAuth, which is based on callback URLs - you can just block certain domains from being called through callback URL.

了解更多关于的OAuth 。

这篇关于API安全：如何限制通过域访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！