在HEADER或URL中传递API密钥? [英] Passing API Keys In HEADER or URL?
问题描述
我已经注意到,某些API让您将API密钥作为url参数传递,而另一些API使您在HTTP HEADER中传递它.我正在开发一个基于Web的应用程序,该应用程序将严重依赖REST API,而现在我只有它,因此API KEY作为url参数传递.
I have noticed that some API have you pass an API key as a url parameter while others have you pass it in the HTTP HEADER. I am developing a web-based application that is going to rely heavily on a REST API and right now I am just having it so the API KEY is pass through as a url parameter.
我的问题是这些选择中的一个是否比另一个更安全?
My question is whether or not one of those options is more secure than the other?
推荐答案
在两种情况下,API密钥都将未经加密地传递.因此,除非您使用HTTPS,否则两者都是不安全的.
In both cases, the API key will be passed unencrypted. So both are insecure unless you use HTTPS.
实际上,HTTP标头更安全一些,因为-
In practice, HTTP header turns out to be a little bit more secure because -
- 该网址已存储在浏览器历史记录中
- 该网址存储在服务器端的访问日志中
此外:除非您要求用户使用其凭据登录,否则无法保护Web上的REST API.任何人都可以轻松识别API密钥并向您的服务器发出请求.
Aside : A REST API over the web cannot be secured unless you ask the user to login with his credentials. Anybody can easily identify the API key and make requests to your server.
回应@segfault的评论-
EDIT : In response to @segfault's comments -
网站用户通常不输入API密钥.他们输入用户名和密码,然后进行交易以获取通常称为的API密钥或访问令牌.
A website user generally does not enter an API key. They enter their user name and password, and this is traded to get the API key or access token as it is typically called.
如果您强迫用户输入API密钥而不是用户名和密码,那将是安全的.但是正如我所说,我还没有看到任何认真的应用程序可以做到这一点.
If you force your users to enter the API key instead of user name and password, well, it'd be secure. But as I said, I haven't seen any serious application do that.
更具体地说,我的意思是:如果后端API需要API密钥,并且您正在从浏览器进行AJAX调用,而您不要求用户提供某种凭据,则您是不安全的"
More specifically, I meant "If a backend API expects an API key, and you are making AJAX calls from the browser, and you don't ask the user for some sort of credentials, you are insecure"
这篇关于在HEADER或URL中传递API密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
