问题描述
使用 PHP,您如何安全地验证 API 调用,跨域,符合以下条件:
Using PHP, how do you securely authenticate an API call, cross-domain, with the following criteria:
- 必须从给定的 domain.com/page 调用(没有其他域)
- 必须有给定的密钥
一些背景知识:回答前请仔细阅读...
我的 Web 应用程序将通过如下调用在客户的网站上显示一个 javascript 小部件.因此,我们谈论的是跨域身份验证的脚本,但仅针对真正的客户端和给定的 URL!
My web application will display a javascript widget on a client's website via a call like the one below. So we're talking about cross-domain authentication for a script to be served but only to genuine client and for a given URL only!
目前,客户的网站可以通过单行 javascript 包含小部件.
At the moment the widget can be included by the CLIENT's website, by a single-line of javascript.
client-website.com/page/with/my-widget 示例
<head>
...
<script src="//ws.my-webappserver.com/little-widget/?key=api_key"></script>
...
</head>
现在,实际上这并不直接调用 javascript,而是我的远程服务器上的一个 PHP 脚本,它位于实际 javascript 的前面,用于进行一些身份验证.
Now, in reality this does not call javascript directly but a PHP script on my remote server which sits in front of the actual javascript for the purpose of doing some authentication.
上述调用背后的 PHP 脚本首先执行此操作:
The PHP script behind the above call does this first:
- 检查 API 密钥 ($_REQUEST["key"]) 是否与数据库中的用户记录匹配.
- 根据数据库中的记录检查引荐来源网址 ($_SERVER['HTTP_REFERER']).
这是简化的,但本质上服务器看起来像:
This is simplified, but in essence the server looks like:
if ($_SERVER['HTTP_REFERER'] !== "http://client-website.com/page/with/my-widget")
&& $_REQUEST["Key"] == "the_long_api_key") {
header("Content-type: application/x-javascript");
echo file_get_contents($thewidgetJS_in_secret_location_on_server);
} else {
//pretend to be a 404 page not found or some funky thing like that
}
***小部件只允许在某些网站/页面上运行
***The widget is only allowed to run on CERTAIN websites/pages
现在,问题来了:
- 密钥在客户端,因此任何人都可以查看源代码并获取密钥
- 例如可以欺骗引荐来源网址(通过 cURL)
还有一点问题:我不能告诉客户将密钥粘贴在他们服务器上的 php 脚本中,因为他们可以运行任何服务器端语言!
And a little snag: I can't tell the clients to stick the key inside a php script on their server because they could be running any server side language!
那么我怎样才能使我的网络服务安全且只能由给定的域/页面访问?
So how can I make my web service secure and only accessible by a given domain/page?
任何帮助将不胜感激!
ps:小部件会将一些内容上传到一种投递箱 - 所以这里的安全性是关键!
ps: The widget does some uploading to a kind of drop box - so security is key here!
推荐答案
id 建议使用白名单方法来解决这个问题,我不完全确定这会解决问题,但是我对支付处理器使用了类似的技术,它需要您将服务器 IP 列入白名单.
id recommend using a whitelist approach to this issue, i am not entirely sure this will solve the problem however i have used a similar technique for a payment processor which requires you to whitelist server-ips.
这篇关于PHP驱动的API如何跨域认证真正的客户端(引用者)(知道标头可以被欺骗)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!