如何向最终用户隐藏 REST API Url? [英] How do I hide a REST API Url from the end user?
问题描述
是否可以隐藏我通过 AJAX 用于填充页面数据的 REST URL?我不希望其他人从我的 REST API 中获取和使用,但需要使用它来显示我网站中的内容.
Is it possible to hide my REST URL that I using via AJAX to populate page data? I don't want others taking and consuming from my REST API, but need to use it to display content in my site.
如何对最终用户隐藏我的 REST API URL?
How do I hide my REST API URLs from the end user?
推荐答案
在 JavaScript 中无法对最终用户隐藏 URL.他们只需在 Chrome 中打开网络"面板,或打开 Fiddler 即可查看.
It's not possible to hide the URL From the end user in JavaScript. They can simply open up the Network panel in Chrome, or just turn on Fiddler to see it.
在您的特定情况下,您可以向用户隐藏 URL 的唯一真正方法是将 REST 调用从您的服务器端代码代理到您的 API.
In your particular case, the only real way you can hide the URL from the user is to proxy the REST call to your API from your server-side code.
如果您必须使用 JavaScript,您可以随时创建和使用 APIKeys,并简单地监控它们的使用情况并终止占用过多带宽的 API Keys;但同样 - 这不会阻止某人使用您的 API,它只会在您从意外的地方收到意外的流量时通知您.
If you must use JavaScript, you can always create and use APIKeys and simply monitor their usage and terminate API Keys that are taking up too much bandwidth; but again -- this isn't going to stop someone from being able to use your API, it'll just let you know when you receive an unexpected amount of traffic from unexpected places.
您可以通过每天循环 API 密钥来更进一步,因此如果有人想使用您的 API;他们必须每天更改代码——但同样,这不会阻止某人,只会减慢他们的速度.
You could take it further by cycling API keys every day, so if someone wants to use your API; they have to change their code every day -- but again, this won't stop someone, just slow them down.
唯一完全可靠的方法是我在第一段中提到的方法——但这不能仅通过客户端 JavaScript 来完成.
The only fullproof way is the way I mentioned in my first paragraph -- but that can't be done from client-side JavaScript alone.
我所写的内容适用,即使对于单页应用程序 (SPA) 也是如此;尽管您可以通过为客户端应用程序设置与服务器呈现的页面不同的路由来隐藏地址栏中的 URL.
What I wrote holds true, even for Single Page Applications (SPA); though you can hide the URL in the address bar by having different routing for your client-side application than your server-rendered pages.
用户仍然可以在浏览器的控制台中检查流量以检查请求的去向(无法绕过),但您至少可以在地址栏中显示不同的路径.
The user can still inspect the traffic in their browser's console to check where the requests are going (there's no getting around that), but you can at least display different paths in the address bar.
这篇关于如何向最终用户隐藏 REST API Url?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
