Shulou(Shulou.com)06/01 Report--

This article mainly explains "what is the API interface security design idea". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let Xiaobian take you to learn "What is the API interface security design idea"!

Token authorization mechanism

After the user logs in with the username and password, the server returns a Token (usually a UUID) to the client, and stores the Token-UserId in the cache server in the form of a key-value pair. After receiving the request, the server verifies the Token. If the Token does not exist, the request is invalid. Token is the credential for the client to access the server.

Timestamp timeout mechanism

Each user request carries a timestamp of the current time. The server receives the timestamp and compares it with the current time. If the time difference is greater than a certain time (such as 5 minutes), the request is considered invalid. Timestamp timeout mechanism is an effective way to defend DOS attack.

signature mechanism

Encrypt the Token and timestamp plus other request parameters using MD5 or SHA-1 algorithm (salt can be added according to the situation). The encrypted data is the signature sign of this request. After receiving the request, the server obtains the signature using the same algorithm and compares it with the current signature. If it is different, it means that the parameters have been changed and directly returns the error identification. The signature mechanism ensures that the data cannot be tampered with.

Refuse repeated calls (optional)

When the client accesses for the first time, the signature sign is stored in the cache server, and the timeout time is set to be consistent with the timeout time of the timestamp. The consistency of the two times can ensure that the URL can only be accessed once within or outside the timestamp limit time. If someone accesses it again using the same URL and finds that this signature already exists in the cache server, the service is denied.

If someone accesses the same URL again after the signature in the cache expires, it will be intercepted by the timestamp timeout mechanism. That's why it's required that the timestamp timeout be set to coincide with the timestamp timeout. Rejection of repeated calls ensures that URLs are intercepted and cannot be used (e.g., to fetch data).

The whole process is as follows:

1. The client logs in to the server with the username and password and obtains the Token.

2. The client generates a timestamp and takes timestamp as one of the parameters.

3. The client sorts and encrypts all parameters, including Token and timestamp, according to its own algorithm to obtain signature sign.

4. Add token, timestamp and sign to the URL of each request as parameters that must be carried when requesting (http://url/request? token=123×tamp=123&sign=123123123）

5. The server writes a filter to verify token, timestamp and sign. This request is valid only if token is valid, timestamp does not timeout, and sign does not exist in the cache server.

Under the protection of the above three mechanisms,

If someone hijacks the request and modifies the parameters in the request, the signature cannot pass;

If someone uses a hijacked URL for a DOS attack, the server will deny service because there is already a signature or timestamp timeout in the cache server, so a DOS attack is also impossible;

If the signature algorithm and username password are exposed, then even if the Great Sage comes, it probably won't work...

At this point, I believe that everyone has a deeper understanding of "what is the API interface security design idea". Let's actually operate it. Here is the website, more related content can enter the relevant channels for inquiry, pay attention to us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.