有没有办法在没有基于登录的身份验证的情况下保护 API? [英] Is there a way to secure an API without login based authentication?

问题描述

我目前正在为网站开发 API，但该网站不需要登录即可使用，因此该 API 必须在没有个人用户身份验证的情况下工作.目标是防止 API 被第三者使用.

I'm currently developing an API for a website, but the website doesn't require logging in to use, so the API has to work without individual user authentication. The goal is to prevent the API from being used by a 3rd party.

有没有办法保护 API 只供我的网站使用，而不使用登录身份验证来防止 3rd 方调用后端服务.

Is there a way to protect the API to only be used by my website, without using login authentication to prevent 3rd parties from calling the backend service.

我已经研究过 CORS，但它似乎不是一个强有力的保证.另一个想法是旋转 API 密钥.在这些情况下通常使用什么?

I've looked into CORS, but it doesn't seem like a strong guarantee. Another thought was a rotating API key. What is usually used in these situations?

推荐答案

当您的网站被加载时，在您的客户端中设置一个唯一的令牌.将此唯一令牌在您的所有请求中发送到您的服务器，这可以帮助您确定 API 是否正在被您的客户端访问.

When your website is loaded, set a unique token in your client. Send this unique token in all your requests to your server which can help you identify whether the API is being accessed by your client.

用户不必登录，但在这种情况下您设置了一个令牌，类似于 API Key 身份验证类型.

User doesn't have to login, but you set a token in this case, which is similar to API Key authentication type.

这篇关于有没有办法在没有基于登录的身份验证的情况下保护 API?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！