API安全:如何限制通过域访问? [英] API Security: how to restrict access by domain?
问题描述
我露出一个简单的API,并需要确保只有授权的用户访问它。我将提供API密钥验证。不过,我也想API密钥某个域关联(意思是,如果它正在从授权域使用它应该只工作)。
I'm exposing a simple API and need to make sure only authorized users access it. I will be providing an API key to authenticate. However, I also want to associate the API key to a certain domain (meaning, it should only work if it's being used from the authorized domain(s)).
我如何在API一边检查是否正在从授权的域名访问? HTTP_REFERER显然是不可靠的。建议?
How do I check on the API side if it is being accessed from an authorized domain? HTTP_REFERER apparently is not reliable. Suggestions?
推荐答案
您揭露什么样的API?有许多不同类型的API - 我想你不要暴露你的操作系统的API ...
What kind of API are you exposing? There are many different kinds of APIs - I assume you do not expose your operating system's API...
假设你想揭露一些 Web应用程序的API ,您可以看看 的OAuth <这是基于回调的URL / STRONG> - 你可以从刚刚通过回调URL被称为阻止某些域
Assuming you want to expose some web application's API, you may take a look at OAuth, which is based on callback URLs - you can just block certain domains from being called through callback URL.
了解更多关于的OAuth 。
这篇关于API安全:如何限制通过域访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!