保护通过AJAX消耗API消耗、AJAX、API
我有一个REST API JSON(建于.NET),需要通过下面的客户机使用(通过HTTPS):
I have a REST JSON API (built in .NET) that needs to be consumed by the following clients (over HTTPS):
在SPA网站(AJAX) 在移动应用程序一切(API,SPA网站,移动应用程序)的内部。
Everything (API, SPA website, mobile apps) is in-house.
通常对于一个API,我会使用基本身份验证去,但很明显,一旦你打开你的API AJAX,安全性得到棘手。
Usually for an API, i'd go with Basic authentication, but obviously once you open up your API to AJAX, security gets tricky.
上的说明固定的API - 我主要是想阻止黑客刮削器/锤击API,数据是不完全的超私人。
A note on "securing" the API - I mainly want to stop scrapers hacking/hammering the API, and the data isn't exactly ultra-private.
这里的解决方案,我有几点:
Here's the solutions i have in mind:
在不执行任何操作。离开它开放的,但使用节流/限速停止我的API被刮掉。 创建的AJAX调用需要经过中间人服务器。显然,这意味着有额外的等待时间,在code-等。增加了一倍 使用HMAC从一组允许域随机数和客户机/服务器之间的协议报文格式,并且只允许CORS认证。 (是的,我知道产地头是可以被欺骗)。我对选项3倚由于我们是通过HTTPS请求不能被嗅探,但是很显然,我可以简单地去SPA的应用程序,弹出打开小提琴手,看看HMAC消息,但随机数将停止重放攻击。显然,如果有人有这倾向,他们可以下载的缩小的的JS的SPA应用程序,寻找到了AJAX调用发生,以某种方式计算出HMAC格式。这是唯一的缺点,我可以看到。
I'm leaning towards option 3. Since we are over HTTPS the request can't be sniffed, however obviously i can simply go to the SPA app, pop open Fiddler and see the HMAC message, but the nonces will stop the replay attacks. Obviously if someone was that way inclined, they could download the minified JS for the SPA app, find where the AJAX calls happen and somehow figure out the HMAC format. This is the only downside i can see.
我可以请有一些建议吗?
Can i please have some advice on this?
感谢
推荐答案
我认为你有很大的想法,以确保您的Web API。这里有一些额外的想法:
I think that you have great ideas to secure your Web API. Here are some additional thoughts:
您应该preFER一个基于令牌的认证,而不是基本身份验证。这允许添加过期,刷新,......我写了关于这个问题的文章:https://templth.word$p$pss.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/ 您也应该小心可能XSS的SPA,如果您存储的安全上下文中它。如果您选择保留基本身份验证,它并没有真正适用,因为浏览器会将这种情况下你。下面是有关这些方面的一些链接:What是(如果有的话)REST基本身份验证的安全缺陷与JavaScript客户?和Is有没有安全的方式,保持休息身份验证令牌在客户端的SPA?。请注意,JS框架,如角度提供了支持,从这个prevent。 使用限速也是一件好事。它将提供一个后卫铲运机黑客。你可以看看什么的Restlet在这个级别的建议:http://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/apispark/firewall. 选项3也许是有点强,但你可以实现像一个安全机制(基于签名的)二手/ AWS所提供的。它标志使用访问密钥标识符的要求(见链接的http:// docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html )。这个类的的Restlet可以给你提示关于实施https://github.com/restlet/restlet-framework-java/blob/master/modules/org.restlet.ext.crypto/src/org/restlet/ext/crypto/internal/AwsUtils.java. You should prefer a token-based authentication instead of basic authentication. This allows to add expirations, refresh, ... I wrote an article on this subject: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/ You should also be careful about possible XSS for SPA if you store security context in it. If you choose to keep basic authentication, it doesn't really apply since the browser keeps this context for you. Here are some links regarding such aspects: What are (if any) the security drawbacks of REST Basic Authentication with Javascript clients? and Is there any safe way to keep rest auth token on the client side for SPA?. Notice that JS frameworks like Angular provides support to prevent from this. Using rate limitation is also a good thing. It will provide a guard for scrapers hacking. You can have a look at what Restlet at this level for advice: http://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/apispark/firewall. The option 3 is perhaps a bit strong but you could implement a security mechanism like the one (signature-based) used / provided by AWS. It signs the request using an access key identifier (see this link http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html). This class from Restlet could give you hints about the implementation: https://github.com/restlet/restlet-framework-java/blob/master/modules/org.restlet.ext.crypto/src/org/restlet/ext/crypto/internal/AwsUtils.java.我认为,如果你使用/考虑/实施部分或全部的机制,你将有一个pretty的较好的认证和安全性为Web的API; - )
I think that if you use / consider / implement some or all mechanisms, you will have a pretty good authentication and security for your Web APIs ;-)
希望它可以帮助你, 蒂埃里
Hope it helps you, Thierry
