在查询字符串中获取 API 密钥安全吗?
我正在制作一个 API,并希望其他用户能够访问它。我的实现是从查询字符串中获取 API 密钥和 API“密码”,并使用它们来识别用户是否是我们网站的有效用户。
domain.com/api/?api_key=theapikey&api_password=thepasswordhere
我对安全性不熟悉,但这是一种安全的方法吗?或者有更安全的方法来做到这一点?
I am making an API and want other users to be able access it. My implementation is to get the API key and API "password" from the query string and use them to identify if the user is a valid user of our site.
domain.com/api/?api_key=theapikey&api_password=thepasswordhere
I am not familiar with security but is this a secure way to do it? Or is there more secure ways for doing this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我建议将其传递到标题中。您需要像curl或postman这样的东西来调用它,这适用于大多数为应用程序集成而设计的API密钥。
如果您希望用户在浏览器中查看它,您将需要一些登录屏幕。这可以保存为 cookie,这样以后的请求就不会总是强制登录。
I recommend passing it in the header. You would need something like curl or postman to call it, which is appropriate for most API keys that are designed for application integration.
If you are looking to have users view it in the browser, you'll need some login screen. This can be saved as a cookie so future requests don't always force a login.
它不安全,不,有更安全的方法是的,请查看 OAuth。您可能能够找到一些您选择的语言的帮助程序库。
It's not secure no, there are more secure ways yes, look into OAuth. You'll probably be able to find some helper libraries in your language of choice.
a) 您应该使用 POST 而不是 GET,而 GET 是您当前描述的方法(当数据位于地址字段中时。您可以通过从 Web 应用程序的表单 IE 中选择 POST 方法来获取 POST 值:
b)这更安全,但使用 https 隧道可以提高安全性,您可以通过在 Web 服务器上安装经过验证的安全密钥并使用 https 而不是 http 来实现这一点。
阿帕奇的例子:
http://www.digicert.com/ssl-certificate-installation-apache.htm
希望我能帮上忙:)
a) You should use POST instead of GET whereas GET is the method you are currently describing ( when the data is in the address field. You get POST values by selecting POST method from your web application's forms IE:
b) That is somewhat more secure, but more security is perceived by using the https tunnel, you get that by installing a validated security key onto you'r web server, and using https instead of http.
Example for apache:
http://www.digicert.com/ssl-certificate-installation-apache.htm
Hope I helped out :)