YouTube API 密钥安全 - 我应该有多担心? [英] YouTube API Key Security - How worried should I be?
问题描述
我准备启动一个使用 YouTube V3 API 的 Angular/Node 网络应用程序.该应用程序在大约 3 周前作为市场验证的测试版"发布,并且在测试版中非常成功.它不会在商业上取得成功,只是一个有趣的应用程序,可以让人们的生活更轻松一些.我有一个问题/疑虑,我应该隐藏我的 YouTube V3 API 密钥、客户端 ID 和范围吗?或者我可以假设,由于只有我的域名被列入白名单,因此尝试使用 API 密钥的潜在黑客/人员将无法拨打任何电话或造成任何损害,因此我无需担心?
I'm getting ready to launch an Angular/Node web application which uses the YouTube V3 API. The app was released about 3 weeks ago as a "beta version" for market validation and was pretty successful in beta. It's not going to be a commercial success, just a fun app that makes peoples lives a little bit easier. I have one issue/concern, should I be hiding my YouTube V3 API key, client id, and scopes? Or can I assume that since only my domain name is whitelisted, that the potential hackers/people who try to use the API key, won't be able to make any calls or do any damage so therefore I have nothing to worry about?
这些是我担心的特定调用(不是真正的 ID/密钥)
These are the specific calls I'm worried about (not the real ids/keys)
Index.html 脚本标签
Index.html Script Tag
var OAUTH2_CLIENT_ID ='_#H#RJHWEJFHEFUIEHFUHEFHEJFU.apps.googleusercontent.com';
var OAUTH2_SCOPES = ['https://www.googleapis.com/auth/youtube'];
在 Angular 中,Controller.js
In Angular, Controller.js
.value('google_api_key', 'jfasdkjfdnstnewurweqjtndi')
gapi.client.setApiKey(google_api_key);
推荐答案
对于 简单访问 Google API,API 密钥是请求所需的唯一凭据,它是您的应用/项目的唯一标识符.它提供 API 访问权限并受配额限制.
For Simple Access to Google APIs, API key is the only credential required for the request, and it is a unique identifier of your app/project. It provides API access and is subject to quotas.
你应该保密!
如果您有一个仅限客户端的应用程序(没有服务器),则使用 OAuth 2.0客户端流程
If you have a client-side-only app (without a server), then use OAuth 2.0 Client-side Flow
安全使用 API 密钥的最佳做法:
当您在应用中使用 API 密钥时,请注意确保它们的安全.公开披露您的凭据可能会导致您的帐户被盗用,这可能会导致您的帐户产生意外费用.为确保您的 API 密钥安全,请遵循以下最佳做法:
When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:
不要直接在代码中嵌入 API 密钥
嵌入在代码中的 API 密钥可能会意外暴露给公众,例如,如果您忘记从共享的代码中删除密钥.不要将 API 密钥嵌入到应用程序中,而是将它们存储在环境变量中或应用程序源代码树之外的文件中.
API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.
不要将 API 密钥存储在应用程序源代码树内的文件中
如果您将 API 密钥存储在文件中,请将文件保存在应用程序的源代码树之外,以帮助确保您的密钥不会最终出现在您的源代码控制系统中.如果您使用 GitHub 等公共源代码管理系统,这一点尤其重要.
If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub.
限制您的 API 密钥仅由需要它们的 IP 地址、引荐网址和移动应用程序使用
通过限制可以使用每个密钥的 IP 地址、引荐来源网址和移动应用程序,您可以减少 API 密钥被盗的影响.您可以通过打开凭据"页面,然后使用所需设置创建新的 API 密钥或编辑 API 密钥的设置,从 Google Developers Console 指定可以使用每个密钥的主机和应用.
By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the Google Developers Console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.
删除不需要的 API 密钥
为了尽量减少您遭受攻击的风险,请删除您不再需要的任何 API 密钥.
To minimize your exposure to attack, delete any API keys that you no longer need.
定期重新生成您的 API 密钥
您可以从 Google Developers Console 中重新生成 API 密钥,方法是打开凭据页面并点击每个密钥的重新生成密钥.然后,更新您的应用程序以使用新生成的密钥.生成替换密钥后,您的旧密钥将继续使用 24 小时.
You can regenerate API keys from the Google Developers Console by opening the Credentials page and clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys.
在公开发布之前检查您的代码
在公开您的代码之前,请确保您的代码不包含 API 密钥或任何其他私人信息.
Ensure that your code does not contain API keys or any other private information before you make your code publicly available.
这篇关于YouTube API 密钥安全 - 我应该有多担心?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
