问题描述
我知道有很多张贴类似的问题,但他们都不是指一个HTML / JavaScript的应用程序,用户可以访问code。
I know that there are many similar questions posted, but none of them refers to an HTML/javascript app where the user can access the code.
我在写一个的NodeJS私人REST API。它是私有的,因为它的唯一目的是服务器的HTML5应用程序的客户端(Chrome应用和Adobe AIR应用程序)。因此,一个API密钥是不是因为任何用户都可以看到的JavaScript code一个很好的解决方案。
I have a private REST API written in nodejs. It is private because its only purpose is to server my HTML5 clients apps (Chrome app and Adobe Air app). So an API key is not a good solution since any user can see the javascript code.
我想避免机器人创建我的服务器上的帐户和消耗我的资源。
I want to avoid bots creating accounts on my server and consuming my resources.
有什么办法来acomplish呢?
Is there any way to acomplish this?
推荐答案
这是API密钥,特别是如果你需要的API密钥的要求起源约束的体面的解决办法;认为,如果原始Web请求来自授权的来源,如你的私人领地,你应该只接受一个API密钥。如果Web请求来自未经授权的域名,你可以简单地拒绝处理请求。
An API key is a decent solution especially if you require constraints on the API key's request origin; consider that you should only accept an API key if the originating web request comes from an authorized source, such as your private domain. If a web request comes from an unauthorized domain, you could simply deny processing the request.
您可以通过使用一个专门的编码方案,如基于散列的消息验证code(HMAC)完善这一机制的安全性。下面的资源清楚地解释了这个机制:
You can improve the security of this mechanism by utilizing a specialized encoding scheme, such as a hash-based message authentication code (HMAC). The following resource explains this mechanism clearly:
http://cloud.dzone.com/news/using-api-keys-effectively
这篇关于如何保护私人REST API在AJAX应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!