本文是小编为大家收集整理的关于如何在我的Electron应用程序中隐藏API密钥?的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。
问题描述
我正在构建使用Google的YouTube数据API V3的电子应用程序. 对于访问API,我决定使用标准API密钥(而不是OAuth,因为我不会访问任何个人数据).
但是问题是,我无法在应用程序中隐藏API键,并且我也无法使用推荐程序限制(转介限制允许您过滤哪些网站可以使用您的API键(通过HTTP地址)),因为这是电子应用.因此,基本上,如果有人查看源代码(甚至只是在开发人员工具上),他们可以看到钥匙并自由使用.
关于该怎么做的任何建议?谢谢.
推荐答案
为不需要用户注册或登录的应用程序保护API密钥的唯一方法是将其放在服务器代理后面.因此,当他们启动应用程序时,该应用程序会访问您的服务器,然后服务器返回API键,因此仅以动态形式驻留在应用中,用户永远不会可见.
但是,如果他们使用数据包sniffer或本地代理,他们可以抓住您的令牌,这仍然是不安全的.
最安全的方法是从应用程序可以访问的专用服务器中发出所有API请求.因此,该应用不向YouTube提出请求,它只从您的服务器获取数据.
然后,您可以通过使用私钥将API请求签署到专用服务器来保护您的应用程序.例如,您可以在应用程序中使用一个配置文件,其中包含每个API请求标题中发送的私钥.然后,他们只能获取密钥的方法是对应用程序进行反复编译,然后访问该配置文件,然后使用相同的私人信息向私人服务器提出API请求.然后,为防止恶意用户,您可以监视流量并设置请求限制,例如每次应用程序每秒1个请求.任何超过该限制的应用程序都可以作为DDOS攻击或恶意用户将黑色列表.
数据流将看起来像这样.
App -> Server (with Api Key) -> youtube (data) -> Server (data) -> App
问题描述
I'm building an Electron application that uses Google's YouTube Data API v3. For accessing the API, I decided to use the standard API key (instead of OAuth, since I am not going to be accessing any personal data).
But the problem is, I cannot hide the API key in my app, and I also cannot use referrer restrictions (referrer restrictions allow you to filter which web sites can use your API key (by HTTP address)), since this is an Electron app. So basically, if someone looks at the source code (or even just at the developer tools), they can see the key, and use it freely.
Any advice on what to do? Thanks.
推荐答案
The only way to secure your API key for an application that does not require users to register or log in, is to place it behind a server proxy. So, when they start the app, the app reaches out to your server, the server then returns the API key so it only resides in the app in dynamic form, it is never visible to users.
However, this is still insecure if they use a packet sniffer or local proxy they can grab your token.
The most secure way to do this is to make all your API requests from a private server that your app has access to. So, the app makes no requests to Youtube, it only gets the data from your server.
Then, you can secure your app by signing API requests to your private server with a private key. For example, you could have a config file in the app with a private key that is sent in the header of every API request. Then, they only way to get your key would be to decompile your app, and then access that config file, then make API requests to your private server using the same private information. Then, to prevent malicious users, you can monitor traffic and set up request limits, like 1 request per second per app. Any app exceeding that limit could be black-listed as a DDOS attack or a malicious user.
The data flow would look something like this.
App -> Server (with Api Key) -> youtube (data) -> Server (data) -> App
更多相关问答
联系站长