如何使用公开密钥保护Web API免受未经授权的访问?
[英]How to secure a web API with public key from unauthorized access?
问题描述
While understanding the nature of web API, Some questions regarding its safety were raised. 
在了解Web API的本质的同时,提出了一些有关其安全性的问题。 What are the best practices to design web API such that only authorized user should be able to access it. 设计Web API的最佳做法是什么,以便只有授权用户才能访问它。 I tried to check below options, but none was able to achieve perfect safety. 我尝试检查以下选项,但没有一个能够实现完美的安全性。
1) I cannot rely on request origin, referrer or user agent string since they can be easily spoofed. 1)我不能依赖请求源,引荐来源或用户代理字符串,因为它们很容易被欺骗。
2) Web API requires just a public key to access it so CSRF token is also not suitable to implement. 2)Web API只需要一个公共密钥即可访问它,因此CSRF令牌也不适合实施。
Is there any other way I can ensure request is coming from trusted source only? 还有其他方法可以确保请求仅来自受信任的来源吗?
My use case is I would like to implement client side API like google map, where any one who has purchased an access to API, will whitelist their website domain and can include my plugin on their website. 我的用例是我想实现客户端API(例如Google Map),在该客户端中,任何购买了API访问权的人都将其网站域列入白名单,并可以将我的插件包含在他们的网站中。 Plugin will then make request to my API on behalf of user. 然后,插件将代表用户向我的API发出请求。
Is it a good idea, if I apply some request signature logic on web API so my server can validate the requester and reject the unauthorized origins. 如果我在Web API上应用一些请求签名逻辑,以便我的服务器可以验证请求者并拒绝未经授权的来源,那是个好主意。 I assume I would have to keep my request signature logic secret and so I may need some obfuscation on code. 我假设我必须对我的请求签名逻辑保密,所以我可能需要对代码进行一些混淆。
1 个解决方案
解决方案1
0 2019-01-10 13:38:30
You do not mention anything about the usecase, especially if the client is a system or a person? 您没有提及用例,尤其是在客户端是系统还是个人的情况下?
First off, security by obscurity is never a good choice. 首先,默默无闻的安全绝不是一个好选择。 Second, it is considered bad practice to "create your own security system", it is much better to stand on the shoulders of others who has the knowledge and experience in security. 其次,“创建自己的安全系统”被认为是不好的做法,最好是站在拥有安全知识和经验的其他人的肩膀上。
Without knowing the exact usercase, it is hard to come with a lot of suggestions... however, i'd suggest you look at at stuff like jwt tokens(i'm guessing that you have a person behind a webclient as the user of your webservice)... since you've tagged the question with asp.net-web-api i'd also suggest you have a look at https://identityserver.io project ... I've previously used IdentityServer4 with success in a large asp.net webapi project... 不知道确切的用户情况,很难提出很多建议……但是,我建议您看一下jwt令牌之类的东西(我想您是Webclient背后的一个人,您的网络服务)...因为您已经用asp.net-web-api标记了问题,所以我也建议您看看https://identityserver.io项目...我以前成功使用过IdentityServer4在一个大型的asp.net webapi项目中...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.