基于用户IP地址的API [英] API based on user IP address

问题描述

我开发了一个 API 来获取所有数据.

I developed an API to get all the data.

该站点没有用户注册系统或任何用于识别调用 API 的用户的系统.如果我能识别拨打电话的用户，那么每当有人滥用或攻击 API 时，我什至可以禁止他的 IP.

The site do not have a user registration system or anything to identify the user making a call to the API. If I could identify the user making the call, whenever someone misuse or attack the API I could even ban his IP.

我正在考虑根据用户 IP 或 MAC 地址生成 API 密钥，但这样做是否安全?还有其他建议吗?

I'm thinking of generating an API key based on user IP or MAC address but is it safe to do so? Any other suggestions?

推荐答案

首先，您不会获得最终用户的 MAC 地址.即使您读取传入数据包的 MAC 地址，您也只能获得路由器的 MAC 地址(您绝对不想禁止！)

First, you won't get the MAC address of the end-user. Even if you read the MAC address of incoming packets, you'll only get the MAC address of your router (which you definitely do not want to ban!)

用户 IP 很容易更改和/或欺骗(例如，恶意软件或混淆的副手 Javascript).阻止那些发出错误请求的请求仍然是一个好主意，但您绝对不想将它们用于身份验证.

User IPs are pretty easy to change and/or spoof (malware or confused-deputy Javascript, for example). Blocking those that make bad requests is still a good idea, but you definitely don't want to use them for authentication.

您应该考虑几乎所有 HTTP 请求(路径、标头等)中受攻击者控制的输入，绝对不能仅根据其中包含的信息做出身份验证决定.

You should consider pretty much everything in an HTTP request (path, headers, and so on) attacker-controlled input and definitely not make authentication decisions based solely on information contained therein.

您提到您有一个 PHP 后端.为什么不构建一个系统来通过它生成 API 密钥?

You mention you have a PHP backend. Why not build a system to generate API keys through that?

这篇关于基于用户IP地址的API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！