Developer's control panel and web services - keep in 1 project or separate them?
Do you keep the developer's control panel and the application's web service, in 1 project? or do you separate them into 2 different projects?
(Developer's control panel, is used to setup the web service API, check logs, read document specification, and details about each web service)
When you host the solution you would do something like this..
developer.开发者_开发技巧domain.com <-- developer's control panel
api.domain.com <--- web service api
or
api.domain.com <-- both developer's control pnel and web service api
I would strongly recommend separating the two domains (e.g. into "developers.domain.com" for the control panel / documentation and "api.domain.com" for the API itself). This is important for cross-site-scripting safety.
If both are on "api.domain.com", the following can happen:
- Suppose you are logged into the control panel, and thus have a cookie to api.domain.com
- You now visit a completely different site, evildomain.com, which has some malicious Flash or Silverlight content that appears to do something innocent (e.g. a game, movie, etc)
- The malicious Flash or Silverlight content tries to make a call to api.domain.com to steal or modify your personal information (it makes the call to a control panel page, NOT to the API itself!)
- The malicious call would automatically get the login cookie attached to it by the browser, and so will look like a legitimate call to the control panel site
- The api.domain.com will have to be cross-domain-enabled (with the crossdomain.xml file) to enable legitimate API calls from Flash/Silverlight clients, and so the malicious call will go through as well, and thus the control panel site will be compromised!
There are ways to avoid the attack above while still keeping the API and the control panel on the same domain, but the easiest way to avoid it is to separate the domains.
I don't see a reason to separate this when:
There is no technical reason to keep them separate;
You have authentication setup correctly so that you're sure only the developers can access this;
The developer tools are actually tied specifically to
api.domain.com
.
If you e.g. had multiple applications (api1
, api2
, api3
, etc) and the developer site actually spans these different applications, then, yes keep them separate.
If the above reasons don't apply, go what you feel fits best.
精彩评论