问题
I'm currently developing an API for a website, but the website doesn't require logging in to use, so the API has to work without individual user authentication. The goal is to prevent the API from being used by a 3rd party.
Is there a way to protect the API to only be used by my website, without using login authentication to prevent 3rd parties from calling the backend service.
I've looked into CORS, but it doesn't seem like a strong guarantee. Another thought was a rotating API key. What is usually used in these situations?
回答1:
You can set a ProxyPass configuration in your Apache web server to redirect the requests that you do in your frontend to your backend, this way the backend endpoint will be hidden.
I'll show you an example...
ProxyPass "/foo" "http://yourbackend.com/bar"
ProxyPassReverse "/foo" "http://yourbackend.com/bar"
This way all the request to yourfrontend.com/foo will be redirected to yourbackend.com/bar and in you open the console of your navigator you only will see the request to yourfrontend.com/foo....
Ofcourse if somebody founds the backend url, will be accesible.
回答2:
When your website is loaded, set a unique token in your client. Send this unique token in all your requests to your server which can help you identify whether the API is being accessed by your client.
User doesn't have to login, but you set a token in this case, which is similar to API Key authentication type.
来源:https://stackoverflow.com/questions/50008075/is-there-a-way-to-secure-an-api-without-login-based-authentication