保护JavaScript API
[英]Securing JavaScript API
问题描述
I'm currently working on a small JavaScript library which makes requests to a REST web service. 
我目前正在开发一个小型JavaScript库,该库向REST Web服务发出请求。 Since the server side needs to log incoming request to measure the number of requests, I want to secure it somehow. 由于服务器端需要记录传入的请求以衡量请求的数量,因此我想以某种方式保护它。 The library is very similar to the Google Maps API. 该库与Google Maps API非常相似。 So my question is now, is there some way to secure it better then just adding an API key to the libraries requests? 所以我的问题是,现在是否有某种方法可以比仅向库请求中添加API密钥更好地保护它? How can I ensure, if that is even possible, that only the 'right' client uses the key? 如果可能的话,如何确保只有“正确的”客户才使用密钥? I guess I could compare the referrer url to a set of valid urls, but this can be spoofed to right? 我想我可以将引荐来源网址与一组有效网址进行比较,但这可以被欺骗吗? Please keep in mind that is impossible to use some else's authentication method (facebook, google, twitter etc.) since it has to work without user input. 请记住,无法使用其他身份验证方法(facebook,google,twitter等),因为它必须在没有用户输入的情况下工作。
Cheers, Daniel 干杯,丹尼尔
1 个解决方案
解决方案1
1 2014-07-07 08:05:51
A decent RESTful approach would be to require an Authorization header to be supplied by the client, matching some scheme that your server will accept (see Basic Access authentication as an example). 一种不错的RESTful方法是要求客户端提供一个Authorization标头,以匹配服务器将接受的某些方案(请参阅基本访问身份验证作为示例)。 Seeing as you only wish to validate that your client is the one making the request, you probably don't need too complex an authorization mechanism. 鉴于您只希望验证自己的客户是发出请求的客户,因此您可能不需要太复杂的授权机制。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.