如何保护 AJAX 应用程序中的私有 REST API [英] How to protect a private REST API in an AJAX app
问题描述
我知道发布了许多类似的问题,但没有一个是指用户可以访问代码的 HTML/javascript 应用程序.
I know that there are many similar questions posted, but none of them refers to an HTML/javascript app where the user can access the code.
我有一个用 nodejs 编写的私有 REST API.它是私有的,因为它的唯一目的是为我的 HTML5 客户端应用程序(Chrome 应用程序和 Adobe Air 应用程序)提供服务.因此 API 密钥不是一个好的解决方案,因为任何用户都可以看到 javascript 代码.
I have a private REST API written in nodejs. It is private because its only purpose is to server my HTML5 clients apps (Chrome app and Adobe Air app). So an API key is not a good solution since any user can see the javascript code.
我想避免机器人在我的服务器上创建帐户并消耗我的资源.
I want to avoid bots creating accounts on my server and consuming my resources.
有什么办法可以实现吗?
Is there any way to acomplish this?
推荐答案
API 密钥是一个不错的解决方案,尤其是当您需要对 API 密钥的请求来源进行限制时;考虑到如果原始 Web 请求来自授权来源(例如您的私有域),您应该只接受 API 密钥.如果网络请求来自未经授权的域,您可以简单地拒绝处理该请求.
An API key is a decent solution especially if you require constraints on the API key's request origin; consider that you should only accept an API key if the originating web request comes from an authorized source, such as your private domain. If a web request comes from an unauthorized domain, you could simply deny processing the request.
您可以通过使用专门的编码方案来提高此机制的安全性,例如基于哈希的消息身份验证代码 (HMAC).以下资源清楚地解释了这种机制:
You can improve the security of this mechanism by utilizing a specialized encoding scheme, such as a hash-based message authentication code (HMAC). The following resource explains this mechanism clearly:
http://cloud.dzone.com/news/using-api-keys-effectively
这篇关于如何保护 AJAX 应用程序中的私有 REST API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
