API安全 - 使用api密钥秘密,哈希,tnonce等VS. SSL证书验证
[英]API security - using api key secret, hashing, tnonce etc VS. SSL certificate verification
问题描述
Why is it required to protect API calls with additional API key secret and sign API call? 
为什么需要使用额外的API密钥密钥和签名API调用来保护API调用?
Sending only one API key over SSL connection should be enough to protect requests IMHO. 通过SSL连接仅发送一个API密钥应足以保护请求恕我直言。
Is it because some clients will be unable to make https connections (or verify server cert.) and API should cater to them, or there is another reason? 是因为某些客户端无法建立https连接(或验证服务器证书),API应该满足它们,还是有其他原因?
Most API's require using 2 API keys: API key and API key secret, also tnonce (UNIX timestamp) and then sign API call using some hashing algorithm. 大多数API需要使用2个API密钥:API密钥和API密钥密钥,也是tnonce(UNIX时间戳),然后使用一些散列算法对API调用进行签名。 Is it really so necessary since every call is made over SSL? 是否真的如此必要,因为每次通话都是通过SSL进行的?
1 个解决方案
解决方案1
2 2014-04-17 23:24:26
For many web APIs, a developer is required to obtain an API key that they must use with all their API requests. 对于许多Web API,开发人员需要获取必须与其所有API请求一起使用的API密钥。 The uses I've seen are generally not for security reasons (thus SSL doesn't replace the need for the API key), but rather are used to track which API requests belong to which developer. 我看到的用途通常不是出于安全原因(因此SSL不会取代对API密钥的需求),而是用于跟踪哪些API请求属于哪个开发人员。
This is even more important when the API requests are coming from javascript in a web page because in that cases, the IP address of a given request will belong to the end-user, not the developer so IP address tracking is not very useful. 当API请求来自网页中的javascript时,这一点更为重要,因为在这种情况下,给定请求的IP地址将属于最终用户,而不是开发人员,因此IP地址跟踪不是很有用。 But, the API key will identify which developer the request belongs to even when made by an end-user browser from a web app. 但是,即使最终用户浏览器从Web应用程序发出,API密钥也将识别请求所属的开发人员。 Then, if there are problems with the use of the API, the host site can know who is behind the problem requests and then either contact that developer or shut down or moderate access for that particular developer without affecting other users of the API who are not causing an issue. 然后,如果使用API时出现问题,主机站点可以知道问题请求的后面是谁,然后联系该开发人员或关闭或中等访问该特定开发人员,而不会影响API的其他用户造成问题。
Thus, the API key facilitates monitoring and managing the use of the API by different developers. 因此,API密钥有助于监视和管理不同开发人员对API的使用。 In some APIs, a developer is asked to obtain a separate API key for each "app" that they are using the API for to provide even further granularity and control. 在某些API中,要求开发人员为每个使用API的“app”获取单独的API密钥,以提供更进一步的粒度和控制。
In some cases, I've even had a host site contact me (the developer using an API key) and suggest a more efficient way for me to use their API to get the data I wanted (presumably because this took less load on the site's back-end servers). 在某些情况下,我甚至有一个主机站点联系我(开发人员使用API密钥)并建议一种更有效的方式让我使用他们的API来获取我想要的数据(可能是因为这减少了网站上的负载后端服务器)。
In particularly bad cases where an API is being misused or used for illicit purposes, an API key can be revoked by the host site such that it no longer works (all requests using that API key are rejected). 在API被滥用或用于非法目的的特别糟糕的情况下,主机站点可以撤销API密钥,使其不再有效(使用该API密钥的所有请求都被拒绝)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.