问题
I have a small one page browser based app which consumes a REST API. Users are authenticated via a shortish lived token based system.
I'm likely going to expand this to also include mobile apps (either native or hybrid) which will also consume the same API.
I do have one concern though - how can I 'lock' my API so that only my apps can consume it?
In other words, how can I stop someone else building an app that uses my API?
回答1:
You need some sort of authentication, and if you're going to do authentication you'll need to make your REST API use HTTPS. Basic auth usually fits the bill nicely. Your apps will have credentials, but your human users will not. This will also allow you to give credentials to a customer, or somebody who wishes to use your API if you would like.
来源:https://stackoverflow.com/questions/22405501/locking-down-a-rest-api-to-one-app-how