保护 JAM 堆栈中的 API 密钥 [英] Securing API Keys In JAM Stack

问题描述

我是 JAM 堆栈的新手.JAM 堆栈中的 Web 应用程序(我在 Netlify 中托管我的应用程序)将完全依赖 API 来存储信息和身份验证，对吗?

I am new to JAM stack. The web applications in JAM stack (I am hosting my app in Netlify ) will be completely relied upon APIs for storing info and authentication, right?

所以我担心我必须在我的 JavaScript 代码中公开公开我的所有 API 密钥.任何知道如何打开站点源代码的人都可以看到我的 API 秘密，并且很容易被滥用.

So my concern is that I would have to expose all of my API keys publically in my JavaScript code. Anyone who knows how to open up the site source could see my API secrets and can be easily misused.

我正在阅读 Github 上的 JAM 堆栈存储库此处中的一个未决问题

I was reading through an open issue in JAM stack repo here on Github

如何保护我的 API 密钥免遭窃听和滥用?

How can I secure my API Keys from eavesdropping and misuse?

这种情况下的最佳实践"是什么?

What is the "best practice" in this case?

提前致谢

推荐答案

Disclaimer: I work for Netlify

Disclaimer: I work for Netlify

这是一个常见问题，Netlify 确实开发了一些功能来处理这个问题，而无需您运行任何额外的服务.两者都在本文中显示，但我将在此处进行总结:https://www.netlify.com/docs/redirects/#structured-configuration

This is a frequent question and Netlify did develop some features to handle this without any additional services you have to run. Both are shown in this article, but I'll summarize here: https://www.netlify.com/docs/redirects/#structured-configuration

1. 您可以使用 headers 指令代理具有特殊 HTTP 标头的其他服务，以在 netlify.toml 中重定向(仅 - 不在 _redirects!)

1. you can proxy to other services with a special HTTP header using the headers directive to redirects in netlify.toml (only - not in _redirects!)

如果您的远程服务可以验证签名并拒绝未签名的请求，Netlify 将使用 JWS 对您的请求进行签名，因此其他人无法成功使用您的密钥.您可以使用 signed 指令进行重定向(再次仅在 netlify.toml 中，而不是在 _redirects 中).

Netlify will sign with a JWS your request if your remote service can verify the signature and reject unsigned requests, so nobody else can use your keys successfully. You can use the signed directive for your redirect (only in netlify.toml again, not in _redirects).

这两者都要求您对 API 有一定的控制权(或者让它支持在接受您的 API 请求之前要求其中一种配置).

Both of these do require you to have some control over the API (or have it support requiring one of those configurations before accepting your API request).

如果不能控制API，可以考虑使用function来添加进入 API 请求，实际上是为您代理.请注意，这有点复杂，并且有一个硬性限制，即您的代码 + 代理 + 响应必须在 10 秒内发生，这与 Netlify 上默认的函数调用时间一样长.

If you can't control the API, you could consider using a function to add them into the API request, in effect proxying for you. Note this is a bit complicated and has a hard limitation that your code + the proxy + response must happen within 10s, which is as long as you have for a function invocation by default on Netlify.

这篇关于保护 JAM 堆栈中的 API 密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！