如何在我的 Electron 应用程序中隐藏 API 密钥? [英] How to hide the API key in my Electron application?

问题描述

我正在构建一个使用 Google 的 YouTube 数据 API v3 的 Electron 应用程序.为了访问 API，我决定使用标准 API 密钥(而不是 OAuth，因为我不会访问任何个人数据).

I'm building an Electron application that uses Google's YouTube Data API v3. For accessing the API, I decided to use the standard API key (instead of OAuth, since I am not going to be accessing any personal data).

但问题是，我无法在我的应用程序中隐藏 API 密钥，而且我也无法使用引用限制(引用限制允许您过滤哪些网站可以使用您的 API 密钥(通过 HTTP 地址))，因为这是一个电子应用程序.所以基本上，如果有人查看源代码(甚至只是查看开发人员工具)，他们就可以看到密钥，并且可以自由使用.

But the problem is, I cannot hide the API key in my app, and I also cannot use referrer restrictions (referrer restrictions allow you to filter which web sites can use your API key (by HTTP address)), since this is an Electron app. So basically, if someone looks at the source code (or even just at the developer tools), they can see the key, and use it freely.

有什么建议吗?谢谢.

推荐答案

保护不需要用户注册或登录的应用程序的 API 密钥的唯一方法是将其置于服务器代理之后.因此，当他们启动应用程序时，应用程序会联系您的服务器，然后服务器会返回 API 密钥，因此它仅以动态形式驻留在应用程序中，用户永远看不到它.

The only way to secure your API key for an application that does not require users to register or log in, is to place it behind a server proxy. So, when they start the app, the app reaches out to your server, the server then returns the API key so it only resides in the app in dynamic form, it is never visible to users.

但是，如果他们使用数据包嗅探器或本地代理来获取您的令牌，这仍然是不安全的.

However, this is still insecure if they use a packet sniffer or local proxy they can grab your token.

最安全的方法是从您的应用有权访问的私有服务器发出所有 API 请求.因此，该应用不会向 Youtube 发出请求，它只会从您的服务器获取数据.

The most secure way to do this is to make all your API requests from a private server that your app has access to. So, the app makes no requests to Youtube, it only gets the data from your server.

然后，您可以通过使用私钥将 API 请求签名到您的私有服务器来保护您的应用.例如，您可以在应用程序中有一个配置文件，其中包含在每个 API 请求的标头中发送的私钥.然后，他们获取您的密钥的唯一方法是反编译您的应用程序，然后访问该配置文件，然后使用相同的私有信息向您的私有服务器发出 API 请求.然后，为了防止恶意用户，您可以监控流量并设置请求限制，例如每个应用每秒 1 个请求.任何超过该限制的应用程序都可能被列入 DDOS 攻击或恶意用户的黑名单.

Then, you can secure your app by signing API requests to your private server with a private key. For example, you could have a config file in the app with a private key that is sent in the header of every API request. Then, they only way to get your key would be to decompile your app, and then access that config file, then make API requests to your private server using the same private information. Then, to prevent malicious users, you can monitor traffic and set up request limits, like 1 request per second per app. Any app exceeding that limit could be black-listed as a DDOS attack or a malicious user.

数据流看起来像这样.

    App -> Server (with Api Key) -> youtube (data) -> Server (data) -> App

这篇关于如何在我的 Electron 应用程序中隐藏 API 密钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！