有没有办法检测从哪个来源调用 API? [英] Is there a way to detect from which source an API is being called?
问题描述
是否有任何方法可以识别从哪个来源调用 API?源是指 IOS 应用程序,Web 应用程序,如页面或按钮点击(Ajax 调用等).
Is there any method to identify from which source an API is called? source refer to IOS application, web application like a page or button click( Ajax calls etc).
虽然,可以在调用 api 时保存一个像 (?source=ios 或 ?source=webapp) 这样的标志,但我只是想知道还有其他更好的选择来完成这个吗?
Although, saving a flag like (?source=ios or ?source=webapp) while calling api can be done but i just wanted to know is there any other better option to accomplish this?
我也觉得这个要求很奇怪,因为一般来说,一个 App 或 Web 应用程序被 n 个用户使用,所以很难监控这么多 API 调用.
I also feel this requirement is weird, because in general an App or a web application is used by n number of users so it is difficult to monitor those many API calls.
请提出您宝贵的建议.
推荐答案
没有完美的方法来解决这个问题.指定一个特殊的标志并不能解决您的问题,因为消费者可以放入她想要的任何东西,而您无法确定它是否合法.如果您为不同的使用者发布不同的 API 密钥,情况也是如此 - 您永远不知道他们是否决定更换它们.
There is no perfect way to solve this. Designating a special flag won't solve your problem, because the consumer can put in whatever she wants and you cannot be sure if it is legit or not. The same holds true if you issue different API keys for different consumers - you never know if they decide to switch them up.
我想到的唯一选择是分析 HTTP 标头,看看您可以从中推断出什么.您可能知道典型的 HTTP 标头如下所示:
The only option that comes to my mind is to analyze the HTTP header and see what you can deduce from it. As you probably know a typical HTTP header looks something like this:
您可以尝试查看来自所有来源的请求在您的情况下有何不同,并决定是否可以可靠地区分它们.如果您有幸开发客户端(即这不是公共 API),您可以为不同的来源设置自定义的 User-Agent 字符串.
You can try and see how the requests from all sources differ in your case and decide if you can reliably differentiate between them. If you have the luxury of developing the client (i.e. this is not a public API), you can set your custom User-Agent strings for different sources.
但请记住,Referrer 不是强制性的,因此不是很可靠,并且用户代理也可能被欺骗.因此,这是一个总比没有好,但也不是 100% 可靠的解决方案.
But keep in mind that Referrer is not mandatory and thus it is not very reliable, and the user agent can also be spoofed. So it is a solution that is better than nothing, but it's not 100% reliable.
希望这会有所帮助,这里还有一个类似问题.祝你好运!
Hope this helps, also here is a similar question. Good luck!
这篇关于有没有办法检测从哪个来源调用 API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
