javascript - 如何防止第三方网站私自调用网站的后端接口
对于前后端完全分离的网站,后端采用PHP/Java/Python向前端输出json格式的数据,而前端通过ajax向后端调用接口获取数据。这种情况下,后端的接口如果没有采取一定的保护措施是很容易被其他人恶意调用来做一些非法操作。那么,现在在这种前后端完全分离的网站架构下有哪些主流的对后端接口保护的做法?
回复内容:
对于前后端完全分离的网站,后端采用PHP/Java/Python向前端输出json格式的数据,而前端通过ajax向后端调用接口获取数据。这种情况下,后端的接口如果没有采取一定的保护措施是很容易被其他人恶意调用来做一些非法操作。那么,现在在这种前后端完全分离的网站架构下有哪些主流的对后端接口保护的做法?
1)给你API的用户发放验证Key,对请求的数据内容按双方定义的规则结合Key进行编码,后端拿到请求后解码校验是否符合预期,并设置每个Key的访问频率~~
内容不符合预期直接拒绝响应
访问过于频繁,那么此用户在一定时间内不允许访问~~~
2)还可以发放SSH私钥/公钥的方式来保证~~~
用Access-Control-Allow-Origin header 和 csrf的token来控制。
有的需要限制次数的还会在headers中加入X-RateLimit-Limit和X-RateLimit-Remaining来控制访问
目前我的想法更多是限制操作频度来控制,因为无论你怎么做,会Chrome插件开发的脚本小王子总能利用你的用户体验需求绕过所有限制。
同时也建议你开放出去的api权限控制好,比如
http://api.xxx.com/customer/user/get?id=12345
不要将这个api设计为随意更换id就能查询到所有用户的信息,要在filter中对传入的id和session中维护的登录用户信息做鉴权校验。
如果这个页面被设计为不需要用户登录即可查看的偏静态页面,那我会推荐你不要用方案来实现这种页面。因为很难去做SEQ和CDN化
给你一个简单的方案:判断请求来源是不是ajax,如果不是,则拒绝请求。那么来自ajax的请求,可以进行计数,如果单位时间请求过于频繁的话,禁止请求(这样会武断的屏蔽掉一个IP后面有一家大公司的情况)。
如果是ajax的话,你根本不能判断对方是不是恶意请求,因为它很有可能真的来源于你自己的页面。
做个token验证。在前端要调用后端接口的时候,传个加密过的token过来就行啦
一般就是token,还有就是来源。。。这就杀了一片了。
做好后端验证是最重要的。
传递的数据可以用js加个密,能略微增加一些抓包的难度
最近我也在思考这个问题
试试Oauth验证
后端没有记录session,怎么获取数据?
后来,我大致想了一下,一些不是非常敏感的数据,不需要登录就可以加载,如果是敏感的数据需要用户登录了之后才可以用异步调用。
验证码,session,限制ip 这些都是可以做的…
所见即所得,没办法。
http协议的无状态特性决定了是无法彻底避免第三方调用你的后台服务。前面几位说的方法都有一定的作用,包括crsf、接口调用频率、用户行为分析等从某一些方面来说都是只能增加第三方调用的难度而已。
12306网站就是最好的实例。
登录数据可以用session,如果不需要登录的,可以用参数密钥时间认证。
<code> test.php?a=1&b=2&time=12345678&code=xxxx </code>
xxxx就是认证码,简单点可以用md5(a1b2time12345678passwd),即参数列表,加上当前时间,加上密码。你可以使用多个密码,即一个客户端一个密码,每个客户端发一个appid,即增加一个参数,
<code>`test.php?appid=1&a=1&b=2&time=12345678&code=xxxx`,</code>
这样可以随时修改一个客户端的密码,或者丢弃某个客户端请求。
非法访问通常使用认证来解决,方法很多session,oauth等等。
对于合法的认证访问通常需要进行访问频率和次数的限制,各种API框架都有支持,比如Django restframework的throttling。
对于拒绝服务时的访问,通常需要在更前端做控制,比如在nginx上配置rate limit。
参照各大开放接口,做一个token验证,每次发起请求必须带验证。就不会被随意调用了。
HTTP请求支持鉴权,用base auth 做访问身份验证.或者用oauth2对请求做认证.
lz 可以参考下微信js 的接口
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1386
52
PHP: An Introduction to the Server-Side Scripting Language
Apr 16, 2025 am 12:18 AM
PHP is a server-side scripting language used for dynamic web development and server-side applications. 1.PHP is an interpreted language that does not require compilation and is suitable for rapid development. 2. PHP code is embedded in HTML, making it easy to develop web pages. 3. PHP processes server-side logic, generates HTML output, and supports user interaction and data processing. 4. PHP can interact with the database, process form submission, and execute server-side tasks.
Why Use PHP? Advantages and Benefits Explained
Apr 16, 2025 am 12:16 AM
The core benefits of PHP include ease of learning, strong web development support, rich libraries and frameworks, high performance and scalability, cross-platform compatibility, and cost-effectiveness. 1) Easy to learn and use, suitable for beginners; 2) Good integration with web servers and supports multiple databases; 3) Have powerful frameworks such as Laravel; 4) High performance can be achieved through optimization; 5) Support multiple operating systems; 6) Open source to reduce development costs.
PHP and the Web: Exploring its Long-Term Impact
Apr 16, 2025 am 12:17 AM
PHP has shaped the network over the past few decades and will continue to play an important role in web development. 1) PHP originated in 1994 and has become the first choice for developers due to its ease of use and seamless integration with MySQL. 2) Its core functions include generating dynamic content and integrating with the database, allowing the website to be updated in real time and displayed in personalized manner. 3) The wide application and ecosystem of PHP have driven its long-term impact, but it also faces version updates and security challenges. 4) Performance improvements in recent years, such as the release of PHP7, enable it to compete with modern languages. 5) In the future, PHP needs to deal with new challenges such as containerization and microservices, but its flexibility and active community make it adaptable.
How to run programs in terminal vscode
Apr 15, 2025 pm 06:42 PM
In VS Code, you can run the program in the terminal through the following steps: Prepare the code and open the integrated terminal to ensure that the code directory is consistent with the terminal working directory. Select the run command according to the programming language (such as Python's python your_file_name.py) to check whether it runs successfully and resolve errors. Use the debugger to improve debugging efficiency.
Can visual studio code be used in python
Apr 15, 2025 pm 08:18 PM
VS Code can be used to write Python and provides many features that make it an ideal tool for developing Python applications. It allows users to: install Python extensions to get functions such as code completion, syntax highlighting, and debugging. Use the debugger to track code step by step, find and fix errors. Integrate Git for version control. Use code formatting tools to maintain code consistency. Use the Linting tool to spot potential problems ahead of time.
Is the vscode extension malicious?
Apr 15, 2025 pm 07:57 PM
VS Code extensions pose malicious risks, such as hiding malicious code, exploiting vulnerabilities, and masturbating as legitimate extensions. Methods to identify malicious extensions include: checking publishers, reading comments, checking code, and installing with caution. Security measures also include: security awareness, good habits, regular updates and antivirus software.
Can vs code run in Windows 8
Apr 15, 2025 pm 07:24 PM
VS Code can run on Windows 8, but the experience may not be great. First make sure the system has been updated to the latest patch, then download the VS Code installation package that matches the system architecture and install it as prompted. After installation, be aware that some extensions may be incompatible with Windows 8 and need to look for alternative extensions or use newer Windows systems in a virtual machine. Install the necessary extensions to check whether they work properly. Although VS Code is feasible on Windows 8, it is recommended to upgrade to a newer Windows system for a better development experience and security.
PHP vs. Python: Use Cases and Applications
Apr 17, 2025 am 12:23 AM
PHP is suitable for web development and content management systems, and Python is suitable for data science, machine learning and automation scripts. 1.PHP performs well in building fast and scalable websites and applications and is commonly used in CMS such as WordPress. 2. Python has performed outstandingly in the fields of data science and machine learning, with rich libraries such as NumPy and TensorFlow.
