使用客户端 Javascript 时如何保密 API 密钥?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7847121/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to keep API keys secret when using client side Javascript?
提问by Finglas
For example, check out this Facebookplugin.
例如,查看这个Facebook插件。
In the client side the API key is clearly visible. What is stopping another user from obtaining this key and using this feature on a different site?
在客户端,API 密钥清晰可见。是什么阻止其他用户获取此密钥并在其他站点上使用此功能?
I figured a very naive implementation would be to check the domain the request comes from but things like this are easy to fake.
我认为一个非常幼稚的实现是检查请求来自的域,但这样的事情很容易伪造。
If I were to create something similar, how would I go about securing the authentication process?
如果我要创建类似的东西,我将如何保护身份验证过程?
I want as much of this work to be client side, though some form of server authentication will be required surely? Any links or advice would be greatly appreciated.
尽管肯定需要某种形式的服务器身份验证,但我希望尽可能多地进行这项工作?任何链接或建议将不胜感激。
Update
更新
Similar questionabout API keys that I found useful.
关于我发现有用的 API 密钥的类似问题。
采纳答案by Piskvor left the building
In three words: server-side validation. FB itself will throw an error when you use a key that's incorrect for the given site. The API key is not supposed to be secret (as opposed to the secret key).
三个字:服务器端验证。当您使用对给定站点不正确的密钥时,FB 本身会引发错误。API 密钥不应该是秘密的(与秘密密钥相反)。
回答by GregL
I haven't done this myself, but I know that the kind of attack you are worried about is called Cross-site Request Forgery (CSRF). The Wikipedia articleon that gives some hints on how to prevent it.
我自己没有这样做过,但我知道您担心的那种攻击称为跨站点请求伪造 (CSRF)。在维基百科的文章上提供了有关如何防止一些提示。
