开源 API 应用安全
[英]Open source API application security
问题描述
I'm a bit new to building open source API applications.
我对构建开源 API 应用程序有点陌生。 I've learned that it is the safest to hide your API keys from your source code and that one way to do this is by using environment variables.我了解到从源代码中隐藏您的 API 密钥是最安全的方法,其中一种方法是使用环境变量。 But one question keeps bugging me: how could an open source app be safe when any user can open the source code and figure out the API keys themselves?但是一个问题一直困扰着我:当任何用户都可以打开源代码并自己找出 API 密钥时,开源应用程序怎么可能是安全的? It might not be directly in the source code but you can just modify the code to get it, right?它可能不直接在源代码中,但您可以修改代码来获取它,对吗?
1 个解决方案
解决方案1
0 2021-12-28 18:33:01
the values of the environment variables is not stored in the source code, instead they are added to the OS environment and the application can read these values when it is running.环境变量的值不存储在源代码中,而是添加到操作系统环境中,应用程序可以在运行时读取这些值。
If a hacker gets access to the machine, then he can also access and read these variables, so that's why its important to secure and lock-down the server the application is running on.如果黑客可以访问机器,那么他也可以访问和读取这些变量,这就是为什么保护和锁定运行应用程序的服务器很重要的原因。
So it is a fairly good approach as the secrets them self are not stored in the source code.所以这是一个相当好的方法,因为他们自己的秘密没有存储在源代码中。 They are set and created outside the application.它们是在应用程序之外设置和创建的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.