开发 API - 如何使其安全? [英] Developing API - how to make it secured?
问题描述
我将读取和写入方法放在我的数据库中,并通过 URL 公开它们(我使用 CodeIgniter 框架并使用 URL 段将参数传递给这些方法).最初的想法是让我的 Ajax 脚本调用这些方法.但是,现在我想我可以将这些方法公开给任何开发人员.
I'm putting together read and write methods to my database and exposing them via URL (I'm using CodeIgniter framework and using URL segments to pass parameters to these methods). The original idea was to have my Ajax script call these methods. However, now I am thinking I could potentially expose these methods to any developer.
我应该怎么做才能确保只有经过授权的开发人员才能使用我的 API?我认为他们应该将 API 密钥和可能的密码传递给每个方法调用.如果我向他们提供这些详细信息,是否足够安全?
What should I do to make sure only authorized developers use my API? I'm thinking they should pass an API key and possibly password to each method call. If I were to provide them with such details, would that be secure enough?
另外,我认为我应该支持 POST 而不是 GET,因为一些必需的参数可能不适合 URL 段.想法?
Also, I'm thinking that I should support POST instead of GET as some of the required parameters may not fit in nicely with URL segments. Thoughts?
推荐答案
实施 OAuth http://oauth.net/documentation/getting-started/ 将适用于您正在尝试做的事情.我不确定您要保护哪种类型的数据,但我同意 TradyBlix 这可能是最好的.我以前实现过它,不难弄清楚,它有很多记录,其中包含许多利用它处理用户数据的 API.
Implementing OAuth http://oauth.net/documentation/getting-started/ would work for what you're trying to do. I'm not certain of what type of data you're securing, but I agree with TradyBlix this probably best. I've implemented it before, it's not too hard to figure out, it's well documented with many APIs that handle user-data utilizing it.
您应该考虑的另一件事是将 API 密钥限制为域,因此开发人员只能使用来自自己域的 API 密钥——从本质上防止未经授权的开发人员获得访问权限,至少无法访问授权域和相应的键.
Another thing you should think about is limiting API Keys to domains, so a developer can only use their API key from their own domain-essentially preventing an unauthorized developer from gaining access, at least without gaining access to an authorized domain and corresponding key.
这篇关于开发 API - 如何使其安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
