如何使用客户端的JavaScript时保持API密钥的秘密？ [英] How to keep API keys secret when using client side Javascript?

问题描述

例如，看看这个 Facebook的插件。

在客户端的API密钥清晰可见。什么是从获取该密钥，并使用在不同的网站这个功能阻止其他用户？

In the client side the API key is clearly visible. What is stopping another user from obtaining this key and using this feature on a different site?

我想一个很天真的实施将是检查的请求来自，但这样的事情是很容易伪造的域。

I figured a very naive implementation would be to check the domain the request comes from but things like this are easy to fake.

如果我要创建类似的东西，我将如何去确保认证过程？

If I were to create something similar, how would I go about securing the authentication process?

我想因为大部分工作是客户端，但某种形式的服务器认证将被要求肯定？任何链接或建议将不胜AP preciated。

I want as much of this work to be client side, though some form of server authentication will be required surely? Any links or advice would be greatly appreciated.

更新

类似<一个href=\"http://stackoverflow.com/questions/2256305/how-does-google-maps-secure-their-api-key-how-to-make-something-similar\">question关于我发现有用的API密钥。

Similar question about API keys that I found useful.

推荐答案

在三个字：服务器端验证。当您使用的一个关键这是不正确的给定网站FB本身会引发错误。 API密钥是不应该是秘密（相对于秘密密钥）。

In three words: server-side validation. FB itself will throw an error when you use a key that's incorrect for the given site. The API key is not supposed to be secret (as opposed to the secret key).

这篇关于如何使用客户端的JavaScript时保持API密钥的秘密？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！