API 安全:如何按域限制访问? [英] API Security: how to restrict access by domain?

问题描述

我要公开一个简单的 API，需要确保只有授权用户才能访问它.我将提供一个 API 密钥来进行身份验证.但是，我还想将 API 密钥与某个域相关联(也就是说，只有在授权域中使用它时才能使用).

I'm exposing a simple API and need to make sure only authorized users access it. I will be providing an API key to authenticate. However, I also want to associate the API key to a certain domain (meaning, it should only work if it's being used from the authorized domain(s)).

如果是从授权域访问，我如何检查 API 端?HTTP_REFERER 显然不可靠.建议?

How do I check on the API side if it is being accessed from an authorized domain? HTTP_REFERER apparently is not reliable. Suggestions?

推荐答案

你暴露了什么样的 API?有许多不同类型的 API - 我假设您不会公开操作系统的 API...

What kind of API are you exposing? There are many different kinds of APIs - I assume you do not expose your operating system's API...

假设您想公开一些网络应用程序的 API，您可以查看 OAuth，它基于回调 URL - 您可以阻止某些域通过回调 URL 被调用.

Assuming you want to expose some web application's API, you may take a look at OAuth, which is based on callback URLs - you can just block certain domains from being called through callback URL.

阅读有关 OAuth 的更多信息.

Read more about OAuth.

这篇关于API 安全:如何按域限制访问?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！