[英]Azure API Management - How to secure Subscription key
Technical stack技术栈
Now in this case, subscription key will be visible thru Browser -> Inspect -> Network tab现在在这种情况下,订阅密钥将通过浏览器 -> 检查 -> 网络选项卡可见
We want to make sure that user can't use UI key to make API call Using Proxy will hide the key but now anyone can call proxy url to get data.我们要确保用户不能使用 UI 密钥进行 API 调用,使用代理将隐藏密钥,但现在任何人都可以调用代理 url 来获取数据。
How to make it secure?如何使其安全?
Did you find any solution ?你找到任何解决办法了吗? I used nginx as proxy server and kept subscription key there as
proxy_set_header subscription-key abc-def
when calling microservice.我使用 nginx 作为代理服务器,并在调用微服务时将订阅密钥保存为
proxy_set_header subscription-key abc-def
。 This way subscription key wont be exposed to UI and will be forwarded to API Management Service via nginx.这样订阅密钥就不会暴露给 UI,而是通过 nginx 转发给 API 管理服务。
将您的密钥存储在 Azure Key Vault 上并从前端应用程序访问, https://medium.com/@ayanfecrown/azure-key-vault-node-js-step-by-step-tutorial-af131a78e220
As mentioned by nmbrphi, garethb, we can't control what end user see in browser network tab.正如 nmbrphi、garethb 所提到的,我们无法控制最终用户在浏览器网络选项卡中看到的内容。
And as we do not have user authentication available in system and only have IP authentication, can't control usage of UI key directly from API.而且由于我们在系统中没有可用的用户身份验证并且只有 IP 身份验证,因此无法直接从 API 控制 UI 密钥的使用。
To make sure we have more secured UI call, we have implemented custom logic which can be used for any javascript application为了确保我们有更安全的 UI 调用,我们实现了可用于任何 javascript 应用程序的自定义逻辑
Reference http://billpatrianakos.me/blog/2013/09/12/securing-api-keys-in-a-client-side-javascript-app/参考http://billpatrianakos.me/blog/2013/09/12/securing-api-keys-in-a-client-side-javascript-app/
This helped me to at least distinguish UI calling API and API directly called from other application/tools like postman.这至少帮助我区分了 UI 调用 API 和直接从其他应用程序/工具(如邮递员)调用的 API。
Thanks all for your help.感谢你的帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.