防止从浏览器直接访问 api [英] Prevent direct api access from browser

问题描述

目前，如果用户阅读我的 Web 应用程序的源代码，他们将能够确定我的 Web 应用程序使用的所有 RESTful 服务的直接 URI.

Currently as it stands, if a user reads the source of my web application, they'd be able to determine the direct URIs of all the RESTful services my web application utilizes.

我看到的问题是:我的 Web 应用程序知道如何正确使用 API，而且我可能没有想到人类已知的每一个验证来防止通过 API 发送错误数据.

The problem I see is this: My web application knows how to correctly use the API, and I might not have thought of every single validation known to man to prevent bad data from being sent through the API.

因此，有没有一种方法可以防止直接"访问 API 并将其限制为仅访问我的 Web 应用程序?

And so with that is there a method to prevent "direct" access to the API and limit it only to my web application?

附言仅供参考:有关用户的 API 调用受到用户特定 cookie 的保护，该 cookie 仅在登录时发布.这意味着我不太害怕用户 X 能够通过 API 直接修改用户 Y 的数据.

P.S. As an FYI: API calls concerning a user are protected by the presence of a user-specific cookie which is only issued upon login. This means I'm not too afraid of User X being able to directly modify User Y's data through the API.

推荐答案

没有

如果浏览器发出请求，用户可以欺骗请求.期间.

If the browser is making the request, the user can spoof the request. Period.

我的网络应用程序知道如何正确使用 API

My web application knows how to correctly use the API

这很好，但这会引导您假设客户端功能按预期执行.永远不要做出这种假设.

That's good, but that's leading you down the path of assuming client-side functionality executed as intended. Never make that assumption.

我可能没有想到人类已知的每一个验证来防止通过 API 发送错误数据

I might not have thought of every single validation known to man to prevent bad data from being sent through the API

这句话让我相信 API 本身比它需要的更复杂.你能做的最好的事情就是简化.不看具体代码很难说得更具体，但 API 请求应该相当简单和直接，并且应该普遍应用防止恶意代码通过的相同技术.此处适用与任何 Web 应用程序交互相同的一般规则...

This statement leads me to believe that the API itself is more complex than it needs to be. The best thing you can do is simplify. It's difficult to be more specific without seeing specific code, but API requests should be fairly simple and straightforward and the same techniques to prevent malicious code from getting through should be applied universally. The same general rules apply here as in any web application interaction...

1. 永远不要相信来自客户的任何东西
2. 永远不要假设客户端代码按预期执行
3. 永远不要将输入作为代码执行，始终将其视为原始值
4. 等等...

正如您在最后提到的，您已经处理了请求的身份验证和授权.鉴于此，如果用户 X 被允许进行给定的 API 调用，那么您实际上要问的是，我如何允许用户 X 进行 API 调用而不允许用户 X 进行 API 调用?API调用?"服务器无法区分.请求就是请求.

As you mention toward the end, you've already taken care of authentication and authorization for the requests. Given that, if User X is permitted to make a given API call, then what you're essentially asking is, "How do I allow User X to make an API call without allowing User X to make an API call?" The server can't tell the difference. A request is a request.

当然，有些事情您可以尝试，例如始终在代码发出的请求中包含一些自定义标头.但是任何人都可以检查该请求并欺骗该标头.用户的浏览器不是您的应用程序的一部分，也不在您的控制之下.

Sure, there are things you can try, such as always including some custom header in requests made from code. But anybody can inspect that request and spoof that header. The user's browser isn't part of your application and isn't under your control.

这篇关于防止从浏览器直接访问 api的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！