Security for AJAX requests from the client side accessing an API
Let's say you want a third party site to开发者_运维技巧 copy and paste a snippet of javascript code you provide. This code uses an AJAX request to access a JSON API on your servers. How would you implement security so that, while associating API usage to a website that has signed up and received an API key, you would effectively disallow a site to abuse another site's API key/usage? Is this security not possible from the client side? Must the site access the API from the server?
You can also check HTTP referrer of the request on your server site.
I don't think changing javascript code can fake it.
But it cannot stop someone sending custom package from a custom browser or some http client.
Implementing a server-side solution is possible and not too hard, but it will stop many sites from using your script.
You can let them send the request from their servers
or let them keep the key on their servers, hash the key before sending it to the client (the hashed key changes after a time interval)...
You can just check window.location
, or some component thereof.
The only way I can think of to enforce such security would be to go by the IP address, but that is risky at best, as there are many reasons why it would be a bad design.
This would be the security on the server-side protecting the javascript file. You could just have a web service serve up the javascript so it can do the check before ever sending the file to the client.
精彩评论