如何保护免受垃圾邮件REST服务的“公共”的一部分? [英] How to protect the 'public' part of a REST service from spam?
问题描述
我有一个REST服务,这是相当完整,并与iOS应用程序中使用。它使用Ruby /屈建,但我不认为真正的问题在这里。
I have a REST service that's reasonably complete and will be used with an iOS app. It's built using Ruby/Sinatra but I don't think that really matters here.
我使用HTTP基本身份验证通过SSL各种端点和部分工作得很好。
I'm using HTTP Basic Authentication over SSL for various endpoints and that part is working very well.
问题是:
如何停止从调用REST服务的部分未通过HTTP基本身份验证?
Question is: How do I stop spammers etc from calling parts of the REST service that aren't protected via HTTP Basic Authentication?
例如:用户注册
让我们假设REST调用的(POST)的 ... / register_account 传递一个JSON对象在身上。
Let's assume the REST call is (POST) .../register_account passing a JSON object in the body.
由于显而易见的原因,这个调用不能指望链接到用户帐户的用户名/密码。
For obvious reasons, this call cannot expect a username/password linked to a user account.
思路是:
1),该应用程序有它自己的用户名/密码,几个电话就检查应用程序的凭据。
问题:生根设备等可以发掘这些凭据
1) The app has its own 'username' / password and some calls would check for app-credentials. Problem: Rooting the device etc could unearth those credentials.
2)的应用通过通过一个HTTP标头的REST服务这些调用一个秘密令牌。
问题:同(1)
2) The app passes a secret token via a HTTP header to the REST Service for those calls. Problem: Same as (1)
是否有常用的在那里为prevent垃圾邮件等任何电话技术?我想,也许在混合引进iPhone的设备ID,但还没有确定一个明确的办法呢。
Are there any techniques commonly used out there to prevent such spam calls? I'm thinking maybe introduce the iPhone's device id in the mix but haven't identified a definite approach yet.
感谢
推荐答案
虽然应用程序特定的code是对垃圾邮件防御的第一道防线是一个好主意,你还是应该实施一些限速的任何服务您担心。
While the app-specific code is a good idea for a first line of defense against spam, you should still implement some rate-limiting on any services you are concerned about.
例如,如果你在你的REST服务使用会话,你可以很容易速率限制从单个会话处理呼叫的数量。这次会议没有在所有进行身份验证,并且仅使用,而他们正在请求,以确定一个单一的客户端。一个简单的重定向恢复,如果他们试图在没有一个打开的会话连接请求的服务是所有的需要,而几乎所有的Web框架或栈有这个内置的。
For example, if you use sessions on your REST services, you can easily rate-limit the number of calls you process from a single session. The session doesn't have to be authenticated at all and is only used to identify a single client while they are making requests. A simple redirect back to the requested service if they try to connect without an open session is all that's needed, and virtually all web frameworks or stacks have this built in.
您也可以限速其他性能,如IP或用户代理指纹,但这些比基于会话的方法不可靠。
You can also rate-limit on other properties, such as IP or user-agent fingerprint, but those are less reliable than a session-based method.
这篇关于如何保护免受垃圾邮件REST服务的“公共”的一部分?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
