简体   繁体   English

保护ASP.NET Web API服务的外部API端点安全(ASP.NET 4.6)

[英]Securing External API EndPoint for ASP.NET Web API Service (ASP.NET 4.6)

I'm building an external API endpoint that will send email notifications to subscribers. 我正在构建一个外部API端点,该端点将向订阅者发送电子邮件通知。 When a subscriberID (50 characters) and a message string is passed to the endpoint, the service will send out a message via email to the subscribers email address. 当订户ID(50个字符)和消息字符串传递到端点时,服务将通过电子邮件将消息发送到订户电子邮件地址。 Due to the nature of the service it cannot be locked down by IP address or a certificate file or use OAuth2. 由于服务的性质,无法通过IP地址或证书文件将其锁定或使用OAuth2。 A third party will be hitting this endpoint with messages to send out to subscribers. 第三方将在此端点上发送消息以发送给订户。

There are currently 100,000 plus subscribers, what are the odds if a malicious user were to find this endpoint that they could randomly try subscriberIds and find valid ones and start sending them emails given the fact that an ID is 50+ characters long and there are about 100000 valid subscriberIds. 当前有100,000多个订户,如果​​一个恶意用户找到此端点,他们可以随机尝试使用订户ID并找到有效的订户,则给定几率,假设ID的长度超过50个字符,并且大约有50个字符100000个有效的订户ID。

What are my best options for securing this API endpoint? 保护此API端点的最佳选择是什么? Here are my thoughts so far, either add a api key that only the third party knows and will send on every request and/or generate a token for every subscriber and save it to a database and then on the endpoint require them 到目前为止,这是我的想法,或者添加只有第三方知道的api密钥,然后才能发送每个请求,并且/或者为每个订户生成一个令牌并将其保存到数据库,然后在端点上要求它们

A good solution for securing Web API's is using JWT If you are building your Web API using ASP.NET Core, it's much easier to use it, as it is a built-in feature. 使用JWT保证Web API安全的好方法是使用ASP.NET Core构建Web API,因为它是内置功能,所以使用起来容易得多。

Also, do you have some limitations regarding the number of emails a subscriber can send? 另外,您对订户可以发送的电子邮件数量有一些限制吗? It may be a good idea to have a threshold for each user (every minute,hourly,daily,etc), so you can avoid been spammed by a malicious user that has access to your Web API. 为每个用户(每分钟,每小时,每天等)设置一个阈值可能是个好主意,这样您就可以避免受到可访问Web API的恶意用户的垃圾邮件攻击。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM