英文:
Need help verifying the origin of a request with C# and JavaScript
问题
首先,让我从这里开始,我了解JavaScript可能会被篡改,所以我不是在寻找一个百分之百安全的解决方案。我有一个公共API,用于接收来自外部网络应用程序的请求。有时,这些网络应用程序直接访问我们的API,而其他时候它们通过我们一些合作伙伴提供的另一个API来访问。
在合作伙伴场景中,我们希望确保API请求最终来自特定的URL。我的想法是这样的:
我们可以提供一个脚本,供这些网络应用程序添加到它们的网站上,因此我想我们可以设置一个API端点,其任务是捕获请求,验证来源(URL),并生成一个令牌,他们必须在稍后通过合作伙伴API发送真正的API请求时一同发送。
是否有更好的方法,或者我只能依赖于原始标头来确定网站的来源?我希望能够在客户端侧利用其他数据点来验证流量是否来自特定的URL。
英文:
First, let me start with, I understand JavaScript can be tampered with so I'm not looking for a fool-proof solution. I have a public API that takes requests from external web applications. Sometimes the web applications are directly hitting our API and other times they jump through another API offered by some of our Partners.
In a partner scenario, we want to ensure the API requests are ultimately coming from specific URLs. My idea is this:
We're allowed to offer a script that the webapps can add to their sites so I was thinking we can set up an API Endpoint whose job is to capture the request, verify the origin (URL), and spit out a token that they must ultimately send later with the real API request through the partner API.
Is there a better approach or am I just really limited to the origin header to find out the website? I was hoping there were additional data points I can leverage on the client side to verify the traffic is coming from a specific URL
答案1
得分: 3
你说你的 API 是公开的,但你要寻求的是身份验证,以便验证请求的来源。我建议在你的情况下使用某种 API 密钥身份验证。
如果你担心合作伙伴篡改请求,你会想要为每个请求实现客户端签名。通常会为每个客户端分配一个 API 密钥和密钥。密钥用于生成随每个请求发送的签名。你的服务器在响应之前验证这个签名。API 密钥和密钥应直接分配给客户端,而不是通过合作伙伴,以避免中间人攻击。
根据你所使用的平台,有许多中间件和库可帮助实现这种身份验证方案。
英文:
You say your API is public but what you're looking for is authentication so you can verify the source of requests. I'd suggest some sort of API key authentication is in order in your situation.
If you're concerned with partners tampering with request, you'll want to implement a client signature for each request. This is typically done by issuing each client an api key and secret key. The secret key is used to generate a signature sent with each requests. Your server verifies the signature before responding. The api key and secret key should be issued directly to the client and not through partners to avoid man in the middle attacks.
Depending on your platform there are plenty of middleware and libraries to help implement this sort of authentication scheme.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论