如何限制 JSON 访问? [英] How do I restrict JSON access?

问题描述

我有一个 Web 应用程序，可以从我新创建的 JSON API 中提取数据.

I have a web application that pulls data from my newly created JSON API.

我的静态 HTML 页面通过 JavaScript 从静态 HTML 页面动态调用 JSON API.

My static HTML pages dynamically calls the JSON API via JavaScript from the static HTML page.

如何限制对我的 JSON API 的访问，以便只有我(我的网站)可以调用它?

如果有帮助，我的 API 类似于:http://example.com/json/?var1=x&var2=y&var3=z... 根据查询生成适当的 JSON.

In case it helps, my API is something like: http://example.com/json/?var1=x&var2=y&var3=z... which generates the appropriate JSON based on the query.

我正在使用 PHP 来生成我的 JSON 结果......可以像检查 $_SERVER['HTTP_REFERER'] 一样简单地限制对 JSON API 的访问，以确保 API 是唯一的是从我的域而不是远程用户调用的?

I'm using PHP to generate my JSON results ... can restricting access to the JSON API be as simple as checking the $_SERVER['HTTP_REFERER'] to ensure that the API is only being called from my domain and not a remote user?

推荐答案

我认为您可能误解了 JSON 请求是从用户浏览器而不是从您自己的服务器发起的部分.静态 HTML 页面被传递到用户的浏览器，然后它转身执行页面上的 Javascript 代码.此代码打开一个新的连接回到您的服务器以获取 JSON 数据.从您的 PHP 脚本的角度来看，JSON 请求来自外部世界的某个地方.

I think you might be misunderstanding the part where the JSON request is initiated from the user's browser rather than from your own server. The static HTML page is delivered to the user's browser, then it turns around and executes the Javascript code on the page. This code opens a new connection back to your server to obtain the JSON data. From your PHP script's point of view, the JSON request comes from somewhere in the outside world.

鉴于上述机制，您无法阻止任何人在您的 HTML 页面上下文之外调用 JSON API.

Given the above mechanism, there isn't much you can do to prevent anybody from calling the JSON API outside the context of your HTML page.

这篇关于如何限制 JSON 访问?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！