Which hash to create when passing api?

A

Artem00712017-02-26 08:50:20

PHP

Artem0071, 2017-02-26 08:50:20

I made my api, but how to make it so that strangers do not get through to it?
Those. now there is a site mydomen.ru, and there is a site with api api.mydomen.ru
On the main site I make a request like api.mydomen.ru/post?id=1
There is a desire, of course, to do something like this:
api.mydome.ru/post? id=1&hashkey=somehashkey
But I don't know how to generate this key
AND api with the main one - all self-written bikes, maybe I'm learning how to do it, so ready-made solutions are not so interesting
Api in php, main in js (vuejs)

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Alexander Pushkarev, 2017-02-26
@AXP-dev

Hash = md5(domain + salt)
And already in api, look from which domain the request is from. If the domain is allowed, then give the data

R

Rsa97, 2017-02-26
@Rsa97

If the site is public, without authorization, then nothing. Everything that is sent and received by the browser can be viewed through the developer tools. All scripts running in the browser can be parsed and studied.

S

Sergey Sokolov, 2017-02-26
@sergiks

For example, how it is implemented in VKontakte. The visitor logs in to the main site. To make requests to api, he receives a token - a hash from his id, sometimes ip address or subnet, the "secret" of the VK itself, the "secret" of the application. With any request to api, this hash goes, which only guarantees that the request came on behalf of such and such a user (and from a valid IP, and not “suddenly” from another continent).
In addition, during the request, a hash is calculated from the request parameters and the "secret" of the application. This allows you to make sure that the request parameters are not faked in the client - because The "secret" of the application does not leave the servers and does not enter the client.