使用客户端 Javascript 时如何保密 API 密钥?
例如,查看这个 Facebook 插件。
在客户端,API 密钥清晰可见。是什么阻止其他用户获取此密钥并在不同的站点上使用此功能?
我认为一个非常幼稚的实现是检查请求来自的域,但这样的事情很容易伪造。
如果我要创建类似的东西,我将如何保护身份验证过程?
我希望尽可能多的工作在客户端进行,尽管肯定需要某种形式的服务器身份验证?任何链接或建议将不胜感激。
更新
类似问题。
For example, check out this Facebook plugin.
In the client side the API key is clearly visible. What is stopping another user from obtaining this key and using this feature on a different site?
I figured a very naive implementation would be to check the domain the request comes from but things like this are easy to fake.
If I were to create something similar, how would I go about securing the authentication process?
I want as much of this work to be client side, though some form of server authentication will be required surely? Any links or advice would be greatly appreciated.
Update
Similar question about API keys that I found useful.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
简而言之:服务器端验证。当您使用不适合给定站点的密钥时,FB 本身会抛出错误。 API 密钥不应是秘密的(与秘密密钥相反)。
In three words: server-side validation. FB itself will throw an error when you use a key that's incorrect for the given site. The API key is not supposed to be secret (as opposed to the secret key).
我自己没有这样做过,但我知道您担心的那种攻击称为跨站点请求伪造(CSRF)。关于此问题的维基百科文章给出了一些关于如何防止这种情况的提示。
I haven't done this myself, but I know that the kind of attack you are worried about is called Cross-site Request Forgery (CSRF). The Wikipedia article on that gives some hints on how to prevent it.