问题
I'm writing a javascript plugin which will be installed by bloggers/website owners. It will communicate with my remote API.
I'm wondering how to secure the API to ensure that only domains owned by users that have registered an account with the service can access resources from the API. I've read up on OAuth2 and understand the basics, but because the plugin will run from within the browser and not from server to server, i'm not sure how secure this can be.
Tons of services like mixpanel, google analytics, olark use the same concept (i.e. website owner install a line of JS on their site) so it must be a solved problem.
回答1:
You can insert window.location checks into your script to prevent other people from including it directly off of your servers.
However, it is impossible to prevent people from downloading the scripts locally, removing your protection, then hosting it themselves.
You can require an API key in all server-side requests, but enemies can easily steal API keys from legitimate sites.
来源:https://stackoverflow.com/questions/10603980/securing-an-api-for-use-with-javascript-widget