如何验证来自某个域的API请求?
[英]How do you verify an API request came from a certain domain?
问题描述
I have a web API that I want to allow any domain to submit data to. 
我有一个Web API,我想允许任何域提交数据。 However, to keep bogus spam down I want to find some way to insure that a request stating it's from a certain domain actually is from that domain and that someone isn't trying to trick me by posting on another domains behalf. 但是,为了防止虚假垃圾邮件发生故障,我想找到一些方法来确保来自某个域的请求实际上来自某个域,并且有人不会试图通过在其他域上发布来欺骗我。
For example, if http://example.com submits some data - thats good. 例如,如果http://example.com提交了一些数据 - 这很好。 If script kiddie #237 submits data claiming to be example.com - that's bad. 如果脚本小子#237提交声称是example.com的数据 - 这很糟糕。
At first I was going to use a secret key system to HMAC sign each request - but signup is going to be open, free, and automated for this API. 起初我打算使用密钥系统来HMAC签署每个请求 - 但是这个API的注册将是开放的,免费的和自动化的。 I'm not sure how I could tell if PersonA or PersonB really owns http://example.com and deserves the API key. 我不知道如何判断PersonA或PersonB是否真的拥有http://example.com并且应该获得API密钥。
1 个解决方案
解决方案1
2 已采纳 2010-11-27 16:34:30
Provide a key file that they will have to upload on that domain. 提供他们必须在该域上传的密钥文件 。 And you check the existence and valid data against your internal database. 并检查内部数据库的存在和有效数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.