stackoom
  简体   繁体   中英

How can I get the URL of the request sender to my API?

 原文  2019-04-29 18:22:30       python/ angular/ flask/ httpclient

Question

I'm trying to secure my API routes with API keys and website URL of the client. I'm using the tuple (api_key, website_url) to grant the access to my API. In fact, the website URL is sent in the request. Example: using Angular httpClient 

this.restPost(this.endpoint,body,options)

the options include: the API key and website URL.

How can I check if the website_url inserted in the options matches the URL of the request sender? I'm using Flask microframework in the backend.

1 answers

solution1
 1 ACCPTED  2019-04-29 20:01:20

What you are asking for is impossible.

Fundamentally, if requests are coming to you across the public internet, you cannot know the identity of the application sending requests to you.

You can make an educated guess about the remote client. But since the remote client is running on a platform you can't control, nothing prevents an attacker from reverse engineering how it works and then sending you identical requests. You won't be able to tell the difference if the attacker is skilled enough.

There are tools that can help you detect and block malicious clients, but there are also tools for malicious clients to evade detection (just search Stack Overflow for many examples of the reverse problem). It's an arms race and if you want to win you will need to invest more time and money than your counterpart(s) on the other side are.

The normal solution to this problem is to make it your clients' problem. Charge them for a quota of API requests, and bill them if they make more than that. Then if they share the API key with someone else, they also need to pay the bill for them. Then you don't need to care whose API key it is: you're getting paid either way.

If you can't bill them (eg if it's a free service) then the next best thing is rate limiting. Don't allow more than, say, 10 requests in a second for a single API key.

If you're serious about this sort of thing, you probably don't want to reinvent the wheel. There are cloud-scale API gateway services out there. Pick one and use it to handle all your API key authentication and client throttling.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I get the sender of an email gmail python API How do I get the url to an api knowing the request url and headers How can I skip over bad url's in my string when using request.get? Scrapy Request GET url, How can I add keyword in url? My API Get Request can get me no more than 100 , how to loop it so I can get all Items? How I can request a local url in my app engine application? How can I get the original request url in errback using scrapy How can I get the URL of a request after a ConnectionError? How to get sender info from request object How can I make my API request working via Postman?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM