javascript 如何保护 AJAX 应用程序中的私有 REST API
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8918851/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to protect a private REST API in an AJAX app
提问by aartiles
I know that there are many similar questions posted, but none of them refers to an HTML/javascript app where the user can access the code.
我知道发布了许多类似的问题,但没有一个是指用户可以访问代码的 HTML/javascript 应用程序。
I have a private REST API written in nodejs. It is private because its only purpose is to server my HTML5 clients apps (Chrome app and Adobe Air app). So an API key is not a good solution since any user can see the javascript code.
我有一个用 nodejs 编写的私有 REST API。它是私有的,因为它的唯一目的是为我的 HTML5 客户端应用程序(Chrome 应用程序和 Adobe Air 应用程序)提供服务。因此 API 密钥不是一个好的解决方案,因为任何用户都可以看到 javascript 代码。
I want to avoid bots creating accounts on my server and consuming my resources.
我想避免机器人在我的服务器上创建帐户并消耗我的资源。
Is there any way to acomplish this?
有什么办法可以做到这一点吗?
采纳答案by Chris Hutchinson
An API key is a decent solution especially if you require constraints on the API key's request origin; consider that you should only accept an API key if the originating web request comes from an authorized source, such as your private domain. If a web request comes from an unauthorized domain, you could simply deny processing the request.
API 密钥是一个不错的解决方案,尤其是当您需要对 API 密钥的请求来源进行限制时;考虑到如果原始 Web 请求来自授权来源(例如您的私有域),您应该只接受 API 密钥。如果 Web 请求来自未经授权的域,您可以简单地拒绝处理该请求。
You can improve the security of this mechanism by utilizing a specialized encoding scheme, such as a hash-based message authentication code (HMAC). The following resource explains this mechanism clearly:
您可以通过使用专门的编码方案来提高此机制的安全性,例如基于散列的消息身份验证代码 (HMAC)。以下资源清楚地解释了此机制:
回答by Chris Hutchinson
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
您想要做的是使用相互认证的 SSL,这样您的服务器将只接受来自您的应用程序的传入连接,并且您的应用程序将只与您的服务器进行通信。
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. If you're using Android, you can use the keytool included with the Android SDK for this purpose; if you're using another app platform, similar tools exist for them as well. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
这是高级方法。创建自签名服务器 SSL 证书并部署在您的 Web 服务器上。如果您使用的是 Android,您可以使用 Android SDK 附带的 keytool 来实现此目的;如果您使用其他应用程序平台,也有类似的工具可供使用。然后创建一个自签名客户端并将其部署在您的应用程序中作为资源包含在您的应用程序中的自定义密钥库中(keytool 也会生成它)。将服务器配置为需要客户端 SSL 身份验证并仅接受您生成的客户端证书。将客户端配置为使用该客户端证书来标识自己,并且仅接受您为该部分安装在服务器上的一个服务器端证书。
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
如果您的应用程序以外的某人/某物尝试连接到您的服务器,则不会创建 SSL 连接,因为服务器将拒绝未提供您的应用程序中包含的客户端证书的传入 SSL 连接。
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android (I'm not as familiar with how to do this on other mobile platforms), both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
对此的分步说明是一个比此处所保证的要长得多的答案。我建议分阶段执行此操作,因为网络上有关于如何在 Android 中处理自签名 SSL 证书的资源(我不太熟悉如何在其他移动平台上执行此操作),包括服务器端和客户端。O'Reilly 出版的《Android 平台的应用程序安全性》一书中也有完整的演练。
