如何通过仅允许受信任域来保护 API? [英] How do I secure an API by only allowing trusted domains?
问题描述
如何通过只允许受信任的域来保护 API?
How do I secure an API by only allowing trusted domains?
我正在构建一个 REST API.我需要一种分发 API 密钥的方法,但只允许它们在注册的域中工作.
I am building a REST API. I need a way to distribute API Keys but only allow them to work from the domain they are registered with.
主要问题是我的 API 密钥需要嵌入到 Flash 文件中,该文件可以轻松反编译以窃取 API 密钥.如果 Flash 使这不可能,我可以改用 Javascript.
The main issue is my API Key needs to be embedded in a Flash File which can easily be decompiled to steal the API Key. If Flash makes this impossible I can use Javascript instead.
我听说很多人说使用 $_SERVER['HTTP_REFERER'].但这很容易被欺骗.
I have heard a lot of people say use $_SERVER['HTTP_REFERER']. But that is easily spoofed.
- 如何构建 API 以确保请求来自允许的域?
- 如何创建绑定到域的 API 密钥?
- 如何通过只允许受信任的域来保护 API?
这些问题是相关的,但并没有完全回答我的问题.我想我会把它们放在这里以备将来参考.
These questions are related but didn't quite answer my question. Figured I would just put them here for future reference.
推荐答案
JavaScript 在这里帮不了你 - 问题是密钥存储在客户端,这意味着它不安全.你当然可以让攻击者更难(例如,就像你说的检查引用),但在一天结束时,所有服务器可以验证密钥是否正确,并且由于密钥很容易被盗,这是不是很有帮助.
JavaScript won't help you here - the problem is that the key is being stored on the client, which means that it is not secure. You can make it a bit more difficult for an attacker certainly (e.g. like you say checking the referrer), but at the end of the day all the server can verify is that the key is correct, and since the key can easily be stolen that's not very helpful.
保护私钥的方法是让私钥在您提供给他们的任何人的服务器上运行,而不是在客户端中运行.根据您的需要,这可能不可行.
The way this can be secured is by having the private keys run on the servers of whoever you are giving them to instead of in the client. Depending on your needs, this may not be feasible.
让攻击者更难的一种可能性是使用站点锁定技术,仅允许 SWF 调用位于适当域中的 API.有关示例,请参见 http://blog.boogatech.com/as3_tutorial_site-locking_your_flash_project/.但是请注意,这是客户端安全性 - 站点锁定的目标通常只是阻止人们在其他站点上玩您的游戏(即使这样也无法阻止最专注的攻击者).在您的情况下,您正在处理服务器安全性 - 服务器不知道 SWF,它只知道它正在提供的参数,因此攻击者可以绕过 SWF 和客户端安全性并从其他地方调用 API.
One possibility to make it a bit harder for attackers is to use the site-locking technique to only allow the SWF to call the API if it is on an appropriate domain. See http://blog.boogatech.com/as3_tutorial_site-locking_your_flash_project/ for an example. Please note however, that this is client security - the goal with sitelocking is usually just to stop people from playing your game on other sites (and even then it can't stop the most dedicated of attackers). In your case you are dealing with server security - the server doesn't know about the SWF, all it knows is the arguments it is being fed, so an attacker can just bypass the SWF and the client security and call the API from somewhere else.
我建议您考虑一下您试图阻止的攻击和攻击者(为什么必须将 API 密钥绑定到域?).这将帮助您更好地计划安全尝试.例如,如果你没有运行一个超关键的 API,你可以决定做一些事情来让攻击者更难访问 API 是可以接受的,因为你知道你无法阻止一个非常专注的攻击者.
I'd advise you to think about what attack and attackers you are trying to prevent (why do you have to tie API keys to a domain?). This will help you plan your security attempts better. For instance, if you are not running an ultra-critical API, you can decide that putting in a couple of things to make it harder for attackers to access the API is acceptable, with the knowledge that you can't stop an extremely dedicated attacker.
这篇关于如何通过仅允许受信任域来保护 API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
