发表新帖
发表新帖

API based on user IP address

后端 未结
关注
4 870
心在旅途
心在旅途 2020-12-12 07:32

I developed an API to get all the data.

The site do not have a user registration system or anything to identify the user making a call to the API. If I could identi

4条回答
  • 陌清茗
    陌清茗 (楼主)
    2020-12-12 08:10

    First, you won't get the MAC address of the end-user. Even if you read the MAC address of incoming packets, you'll only get the MAC address of your router (which you definitely do not want to ban!)

    User IPs are pretty easy to change and/or spoof (malware or confused-deputy Javascript, for example). Blocking those that make bad requests is still a good idea, but you definitely don't want to use them for authentication.

    You should consider pretty much everything in an HTTP request (path, headers, and so on) attacker-controlled input and definitely not make authentication decisions based solely on information contained therein.

    You mention you have a PHP backend. Why not build a system to generate API keys through that?

    0 讨论(0)
 看不清?
提交回复
热议问题