保护API密钥 [英] Securing an API key
问题描述
我有一个网站,供用户存储数据。我正在开发一个字preSS插件,将允许其他网站访问存储每个用户的数据和上传新的数据。
I have a website that stores data for users. I am developing a Wordpress plugin that will allow other websites to access the data stored for each user and upload new data.
例如乔建立在我的网站和上传信息的帐户。乔安装在自己的网站上的插件,它会给他访问他储存在我的网站从他自己的网站上的数据。
For example Joe creates an account on my website and uploads information. Joe installs the plugin on his own website which will give him access to the data he stored on my website from his own website.
游客乔网站就能上传在我的网站数据,以乔的账户。乔的网站将决定谁可以访问,谁可以修改和谁可以在我的网站上载新信息乔的帐户。
Visitors to Joe website will be able to upload data to Joe's account on my website. Joe's website will determine who can access, who can modify and who can upload new information to Joe's account in my website.
我想到了我的网站上发布了一个API并具有话语preSS插件访问它。据我所知,乔的网站将有一个API密钥,允许他的网站进行身份验证到我的网站。但是你会prevent别人使用该API密钥和pretending是乔的网站?
I thought about publishing an API on my website and having the Wordpress plugin access it. I understand that Joe's website would have an api key that would allow his website to authenticate to my website. However what would prevent someone else from using that API key and pretending to be Joe's website?
我看到了什么,我想要做类似的实现,我可以看到的API密钥,当我检查code在客户端。什么会$ P $使用该API密钥和pretending是网站pvent我?
I have seen similar implementations of what I want to do and I can see the api key when I inspect the code on the client side. What would prevent me from using that api key and pretending to be the website?
有没有一种方法,以确保API密钥,以便访问者乔的网站不看呢?
Is there a way to secure the API key so a visitor to Joe's website does not see it?
我看到这个答案在这里:如何安全地使用API密钥
I saw this answer here: How to securely use api key
但不会访问者仍然能够看到关键时候乔的网站上张贴的要求,我的网站?
However wouldn't the visitor still be able to see the key when Joe's website post it on the request to my website?
感谢。
推荐答案
API密钥将在其他网站的服务器端使用与您的网站进行沟通,
所以客户端将无法看到它。
The API Key will be used at server side of the other website to communicate with your website, so the client won't be able to see it.
API密钥水湿直接从用户的浏览器可用于访问您的站点资源,因为那么这将是的这是由于安全隐患的浏览器阻止跨站请求伪造。
The API Key cann't be used directly from the user browser to access your site resources since then it will be Cross-site request forgery which is blocked by the browsers due to security risks.
如果您的网站的要求也进行了加密(HTTPS),那么,即使有人,不知怎的,他看着就无法获取API密钥的流量。
If the request to your site is also encrypted (https) then even if someone that somehow watching the traffic he won't be able to fetch the API Key.
如何实现它:
您应该能够处理其他网站请求更新用户配置文件,一个URL,例如:
You should have a URL that can handle other sites requests to update a user profile, for example:
www.yoursite.com/api/updateprofile
现在,你应该决定是否要支持GET / POST请求给定的数据(或同时支持)。
Now you should decide whether you want to support data given by GET/POST requests (or support both).
例如,如果你想支持GET请求,然后告诉他们可以在URL上执行以上操作,与给定参数的其他站点:
API_KEY,USER_ID,FIRST_NAME(可选),姓氏(可选)
For example, if you want to support GET request, then tell the other sites they can perform operation on the Url above, with given parameters: api_key, user_id, first_name (optional), last_name (optional)
在他们的网站上使用的示例:
Example of the usage in their site:
www.yoursite.com/api/updateprofile?api_key="key"&user_id=1&first_name="joe's new first name!"
为了实现它你的网站,只需解析请求,并尝试获取参数,而验证API密钥。
In order to implement it on you site, simply parse the request and try to fetch the parameters, while validating the API key.
我想在PHP语法是像下面的,虽然我不知道:
var api_key = GET["api_key"];
var user_id = GET["user_id"];
更新2:
下面是一个图表来说明你:
Here is a diagram to illustrate to you:
Joe的用户浏览器< ---->乔的服务器---(API_KEY)--->您的网站API
客户端具有的关键进不去,因为乔的服务器,不要将其发送给客户端可言,
客户甚至不知道你的网站存在。
The client has no access to the key, since Joe's server don't send it to the client at all, the client don't even know your site exist.
这篇关于保护API密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
