我该如何保护的API只允许受信任的域？ [英] How do I secure an API by only allowing trusted domains?

问题描述

我如何保护的API只允许可信域？

How do I secure an API by only allowing trusted domains?

我建立一个REST API。我需要一种方法来分发API密钥，但只允许他们从他们注册域名的工作。

I am building a REST API. I need a way to distribute API Keys but only allow them to work from the domain they are registered with.

主要的问题是我的API密钥需要嵌入一个Flash文件，可以很容易地进行反编译窃取API密钥。如果Flash使这不可能的，我可以使用JavaScript来代替。

The main issue is my API Key needs to be embedded in a Flash File which can easily be decompiled to steal the API Key. If Flash makes this impossible I can use Javascript instead.

我已经听到很多人说用 $ _ SERVER ['HTTP_REFERER'] 。但是，这是很容易伪造。

I have heard a lot of people say use $_SERVER['HTTP_REFERER']. But that is easily spoofed.

• 如何建立一个API，它可以确保请求被从允许的域来吗？
• 如何创建一个连接到域的API密钥？
• 如何保护的API只允许可信域？

这些问题都涉及，但并没有完全回答我的问题。想我只是把他们在这里以供将来参考。

These questions are related but didn't quite answer my question. Figured I would just put them here for future reference.

• 谷歌API密钥和域名查询
• <一个href="http://stackoverflow.com/questions/2256305/how-does-google-maps-secure-their-api-key-how-to-make-something-similar">How没有谷歌地图保护他们的API密钥？如何使类似的东西？

• Google API Key and Domain Check
• How does Google Maps secure their API Key? How to make something similar?

推荐答案

JavaScript就无法帮助你在这里 - 的问题是，键被存储在客户端，这意味着它是不安全的。可以使其更加难以对于攻击者肯定一个位（例如像你说检查引荐），但在这一天的所有服务器可以验证的端部是该密钥是正确的，并且由于密钥可以很容易地被窃取这不是非常有帮助。

JavaScript won't help you here - the problem is that the key is being stored on the client, which means that it is not secure. You can make it a bit more difficult for an attacker certainly (e.g. like you say checking the referrer), but at the end of the day all the server can verify is that the key is correct, and since the key can easily be stolen that's not very helpful.

的方式这可以固定是通过具有不管你是谁给他们，而不是在客户端的服务器上运行的私钥。根据您的需求，这可能是不可行的。

The way this can be secured is by having the private keys run on the servers of whoever you are giving them to instead of in the client. Depending on your needs, this may not be feasible.

一种可能性，使其有点困难攻击者是利用网站锁定技术，只允许SWF调用API，如果它是在一个适当的域。请参见 http://blog.boogatech.com/as3_tutorial_site-locking_your_flash_project/ 一个例子。但是请注意，这是的客户的安全性 - 与sitelocking的目标通常只是为了阻止人们玩你的游戏在其他网站上（即使这样也不能阻止最敬业的攻击者）。在你的情况，你正在处理的服务器的安全性 - 服务器不知道的SWF，它只知道它是被喂养的参数，因此攻击者可以直接绕过SWF和客户端的安全，并呼吁从其他地方的API

One possibility to make it a bit harder for attackers is to use the site-locking technique to only allow the SWF to call the API if it is on an appropriate domain. See http://blog.boogatech.com/as3_tutorial_site-locking_your_flash_project/ for an example. Please note however, that this is client security - the goal with sitelocking is usually just to stop people from playing your game on other sites (and even then it can't stop the most dedicated of attackers). In your case you are dealing with server security - the server doesn't know about the SWF, all it knows is the arguments it is being fed, so an attacker can just bypass the SWF and the client security and call the API from somewhere else.

我建议你去思考什么攻击，攻击你尝试prevent（你为什么要API密钥绑定到一个域？）。这将帮助您规划安全性的尝试更好。举例来说，如果你没有运行的超临界API，你可以决定投入几件事情，使之更难攻击者访问的API是可以接受的，与你不能阻止一个非常专门的攻击者知识

I'd advise you to think about what attack and attackers you are trying to prevent (why do you have to tie API keys to a domain?). This will help you plan your security attempts better. For instance, if you are not running an ultra-critical API, you can decide that putting in a couple of things to make it harder for attackers to access the API is acceptable, with the knowledge that you can't stop an extremely dedicated attacker.

这篇关于我该如何保护的API只允许受信任的域？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！