[英]What are some ways to secure REST APIs?
I have a situation where iPhone client Signs In with Google/Facebook 我遇到iPhone客户端使用Google / Facebook登录的情况
step 1
iPhone Client --------——> Google/Facebook
Once Authenticated, client needs to get data from my REST APIs 身份验证后,客户端需要从我的REST API中获取数据
step 1
iPhone Client --------——> Google/Facebook
|
| step 2
|
V
GET /transactions
Question 题
Since server is not aware if client is authenticated(Ideally client is authenticated), what are some ways I can secure my REST APIs to have confidence that it is reasonably secured against malicious attacks? 由于服务器不知道客户端是否已通过身份验证(理想情况下客户端已通过身份验证),因此我可以通过哪些方式保护我的REST API,以确保其可以可靠地防御恶意攻击?
Also, I do not want to maintain user/passwords on server 另外,我不想在服务器上维护用户名/密码
You need to look into OAuth2, which is created to authorise user and allow access to secured resources. 您需要研究OAuth2,它是用来授权用户并允许访问安全资源的。 Here are some useful links for the same: 以下是一些有用的链接:
RFC: RFC:
http://tools.ietf.org/html/rfc6749 http://tools.ietf.org/html/rfc6749
One link that can lead you wherever you want to: 一个链接可以带您到任何地方:
您可以为响应中的每个客户端生成一个密钥,然后当客户端再次访问服务器(在请求中提供密钥)时,请比较该密钥在密钥池中是否为有效密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.