问题
I created an API using flask_restjsonapi, I want to integrate the API where it can only work with my future reactjs frontend(the application is an E-commerce, the API is the backend which is representing the app datalayer). I expect that a user could access the products data without being authorized (as a guest), but it certainly needs to be logged to access to a pay view or for buying something. So how could I get this? Oauth (which flow type), basic authentication, cookies. Which steps do I follow?
PS: I'm kind of new in Reactjs and API security.
回答1:
First of all, do not implement your own security (I do not think you indent to do that reading your question, this is for completeness).
Then start by reading the OWASP REST Security Cheat Sheet. It will give you an overview of what to be ready for.
Once you understand what the various elements are for, implement them using a library for your language. Again, do not try to roll your own version - libraries will be way faster and way, way more secure.
I want to integrate the API where it can only work with my future reactjs frontend
This is not possible (the only part). If you have an API, anything can connect to it if it knows how to do that. Do not try to make it a secret (this is called "security by obfuscation" which may or may not be a useful idea, but certainly never a security solution on its own)
来源:https://stackoverflow.com/questions/62570367/how-do-i-secure-api-flask-in-order-to-be-only-consumed-for-my-frontend-app