How to secure a service from being looped through to find out its api key

Let's say we have a WCF web service. and its link is as follows;

http://www.example.com/service/?api=62383581

62383581 is the AP开发者_如何转开发I key here. How can we secure the service from being looped through to find out its API key?

i think the discussion should be "how to make it difficult" not preventing it, since if you are going to expose your service to Public you are prone to attacks.

The possibilities to make it difficult could be:

• if you are providing access to your service to a close set of customers then you can apply IP restrictions on your Server to prevent calls from any other service, again this will prevent any calls from Client side scripts (e.g. JavaScript) and will be open to IP-Spoofing

• You can place IP-restrictions in your Service too. in Message Inspector you can verify the IP and if it's not in your range throw an exception to prevent further access.

• Use Alpha Numeric API key with inclusion of special characters to make it very complex and difficult to loop through (Brute force) (The best fit i can consider for your scenario)

• you can give your client a public key (different for each client) ask them to append some identifier with key e.g. api&customerID and encrypt it with your key since on server side you have the Private key for that specific client and vice verse.. (this contains overhead of encryption decryption)

and if you have man in middle then this can compromise all above. These are all to make things difficult and may require rethinking depending on your detailed scenario.

Use GUID instead of Int to make it much harder to bruteforce it.

I suppose checking the caller's IP address and preventing the same IP address to make more than n calls per hour would be pointless, since attackers would use spoofing to throw such efforts off.

The only way I can think of is to use either a strong configurable firewall that can detect such attacks, or an Intrusion Prevention System (IPS) such as Winsnort. See also http://www.winsnort.com/index.php?module=News&func=display&sid=41

Any API key contained in a program on an untrusted client can be leaked by definition.