如何限制不必要的使用AJAX API(如执行SELECT *人) [英] How to restrict AJAX API from unwanted use (e.g. someone performing a SELECT *)
问题描述
我对餐馆的位置捣烂到一个谷歌地图餐厅定位器的Web应用程序。
I have a restaurant locater web application that mashes up the location of restaurants to a Google Maps.
使用jQuery的滑块来限制餐馆的量有搜索过滤器如在地图上显示:价格,食品类,语言环境
I use JQuery sliders to limit the amount of restaurant to show on the map by having Search filter such as: price, type of food, locale.
这些JQuery的滑块再打通过AJAX给我创造了更新,而无需刷新网页地图的API。
These JQuery sliders call back via AJAX to an API I created to update the map without the web page having to refresh.
JQuery的调用REST的API,像这样:
JQuery calls a RESTFUL API like so:
http://example.com/search/?city=NYC&max-price:50&cuisine=french
这将返回餐厅,符合此条件,使我的web应用程序可以在地图上显示所有符合搜索餐馆JSON字符串。
This returns a JSON string of restaurants which match this criteria so that my web application can display on the map all the restaurants which match the search.
我不希望有发生什么事是有人来陪伴并找出我的API和转储了我所有的餐馆列表。
What I don't want to have happen is for someone to come along and figure out my API and dumps out ALL of my restaurant listings.
有没有一种方法,我可以限制谁打电话上述HTTP API,这样只有我的Web服务器调用的URL,而不是spamer /黑客寻找到转储我的数据库?
Is there a way that I can limit who call the above HTTP API, so that only my web server calls the URL and not spamer/hackers looking to dump my database?
感谢
推荐答案
首先,声明你的意图在的robots.txt 。
First, declare your intentions in robots.txt.
然后,发送一个Set-Cookie头有一个随机数或某种形式的唯一ID的主页上,而不是在你的API响应。如果cookie是永远不会发送到您的API端点,返回 401错误的请求的反应,因为它是一个机器人,一个很破的浏览器,或有人拒绝你的cookies。的Referer头也可以被用作附加的检查,但它是微不足道的假。跟踪有多少API调用已经由该ID。您可能还需要匹配的ID为IP地址。如果这样下去,上面的门槛,吐回 403禁止响应。让你的门槛足够高,使合法用户不抓到它。
Then, send a Set-Cookie header with a nonce or some kind of unique ID on the main page, but not on your API responses. If the cookie is never sent to your API endpoint, return a 401 Bad Request response, because it's a bot, a very broken browser, or somebody is rejecting your cookies. The Referer header can also be used as an additional check, but it's trivial to fake. Keep track of how many API calls have been made by that ID. You may also want to match IDs to IP addresses. If it goes above your threshold, spit back a 403 Forbidden response. Make your threshold high enough that legitimate users don't get caught by it.
请上等原木,突出401和403的反应。
Keep good logs, and highlight 401 and 403 responses.
实际上,如果有人足够的决心,他们将能够转储信息。你的目标不应该是使这个不可能的,因为你永远不会成功。 (见所有关于实现完美的安全性通常的格言。)相反,你想清楚地表明:
Realistically, if someone is determined enough, they WILL be able to dump this information. Your goal shouldn't be to make this impossible, because you will never succeed. (See all the usual adages about achieving perfect security.) Instead, you want to make it abundantly clear that:
- 在这种行为违反了服务条款。
- 您正在积极尝试prevent这一点。
- 您知道罪犯存在,大概他们是谁。
- 在可怕的律师可能会开始介入如果这样下去。
(你有一个律师,对吧?)
(You do have a lawyer, right?)
要实现这一点,可以肯定你的体403禁止响应传递沿线这一要求超出了API的最大允许使用一个可怕的冠冕堂皇的消息。您的IP地址已被记录下来。详情请参阅服务条款,并服从指令的的robots.txt 。
To achieve this, be sure the body of your 403 Forbidden response conveys a scary sounding message along the lines of "This request exceeds the maximum allowed usage of the API. Your IP address has been logged. Please refer to the terms of service and obey the directives in robots.txt."
IANAL,但我相信DMCA可在这种情况下,如果你声称的版权对数据库应用。这实际上意味着,如果你能追踪非法使用你的API为IP地址,你可以发送nastygram给他们的ISP。这应该永远是理所当然的最后手段。
IANAL, but I believe the DMCA can be made to apply in this situation if you claim copyright on your database. This essentially means that if you can track illegal usage of your API to an IP address, you can send a nastygram to their ISP. This should always be a last resort of course.
我不鼓励使用指定的API密钥/令牌,因为他们变成是一个障碍通过和种类的颈部疼痛管理。作为反点@ womp的回答,谷歌正在慢慢远离它们的使用。另外,我不认为他们实际上适用于这种情况,因为它听起来像你的API更像是主要应用于在自己的网站一个JSON调用。
I don't encourage the use of assigned API keys/tokens because they turn out to be a barrier to adoption and kind of a pain in the neck to manage. As a counter-point to @womp's answer, Google is slowly moving away from their use. Also, I don't think they actually apply in this case, because it sounds like your "API" is more like a JSON call that's used mainly on your own site.
这篇关于如何限制不必要的使用AJAX API(如执行SELECT *人)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
