如何确保只有我的javascript客户机web应用程序对REST API发出请求?

时间:2021-09-07 15:22:12

I'm building a web application. It's basically a blog.

我正在构建一个web应用程序。它基本上是一个博客。

There is a javascript client web application and there is a server that implements REST API.

有一个javascript客户机web应用程序和一个实现REST API的服务器。

When user visits my blog, I use javascript function loadPosts() which uses Ajax to send GET request to myblog.com/api/posts endpoint on the server. Server returns JSON array containing blog posts and javascript on the client side parses the JSON and appends HTML to display blog posts.

当用户访问我的博客时,我使用javascript函数loadPosts(),它使用Ajax将GET请求发送到服务器上的myblog.com/api/posts端点。服务器返回包含博客文章和客户端javascript的JSON数组,解析JSON并附加HTML以显示博客文章。

The problem I'm having is that I do not feel that my REST API is secure.

我遇到的问题是我觉得我的REST API不安全。

Keep in mind that I do not want website visitors to have to login in order to see blog posts. However it seems that anyone could type myblog.com/api/posts into their browser and get JSON response from my server containing all the blog posts. This means that someone else can create duplicate blog and use the data I have on my server just by calling my REST API!

记住,我不希望网站访问者必须登录才能看到博客文章。不过,似乎任何人都可以在浏览器中输入myblog.com/api/posts,并从包含所有博客文章的服务器获得JSON响应。这意味着其他人可以创建重复的博客,并通过调用REST API来使用我的服务器上的数据!

Therefore my question is how to make sure that only my javascript client is able to make calls to my server and get data from my REST API? Note that I do not want my blog visitors to authorize in order to be able to view blog posts.

因此,我的问题是如何确保只有我的javascript客户端能够调用我的服务器并从REST API获取数据?注意,我不希望我的博客访问者授权,以便能够查看博客文章。

Thanks in advance!

提前谢谢!

1 个解决方案

#1


1  

You could use the following approach.

您可以使用以下方法。

  1. Pass in client token from a loadPosts() method. You could use AES or some other encryption techniques to encrypt the token.
  2. 从loadPosts()方法中传入客户机令牌。您可以使用AES或其他加密技术对令牌进行加密。
  3. Decrypt the token to validate the request is coming from your method only.
  4. 解密令牌以验证请求仅来自您的方法。
  5. Respond to the request
  6. 响应请求

Even this approach can be hacked since your loadPosts() is client side javascript method. Anybody could get your token from their.

甚至这种方法也可能被攻击,因为loadPosts()是客户端javascript方法。任何人都可以从他们的。

If you would like more security, you could generate new token every time a new request is made and store in the database with the related information like IP address or something. Than you can verify that info in the api request and respond accordingly.

如果您想要更多的安全性,可以在每次发出新请求时生成新的令牌,并将相关信息(如IP地址或其他信息)存储到数据库中。您可以在api请求中验证该信息并作出相应的响应。

It all depends on how far you want to take it.

这完全取决于你想走多远。

I hope it helps

我希望这有助于

#1


1  

You could use the following approach.

您可以使用以下方法。

  1. Pass in client token from a loadPosts() method. You could use AES or some other encryption techniques to encrypt the token.
  2. 从loadPosts()方法中传入客户机令牌。您可以使用AES或其他加密技术对令牌进行加密。
  3. Decrypt the token to validate the request is coming from your method only.
  4. 解密令牌以验证请求仅来自您的方法。
  5. Respond to the request
  6. 响应请求

Even this approach can be hacked since your loadPosts() is client side javascript method. Anybody could get your token from their.

甚至这种方法也可能被攻击,因为loadPosts()是客户端javascript方法。任何人都可以从他们的。

If you would like more security, you could generate new token every time a new request is made and store in the database with the related information like IP address or something. Than you can verify that info in the api request and respond accordingly.

如果您想要更多的安全性,可以在每次发出新请求时生成新的令牌,并将相关信息(如IP地址或其他信息)存储到数据库中。您可以在api请求中验证该信息并作出相应的响应。

It all depends on how far you want to take it.

这完全取决于你想走多远。

I hope it helps

我希望这有助于