YouTube API 密钥安全 - 我应该有多担心?
YouTube API Key Security - How worried should I be?
我正准备启动一个使用 YouTube V3 API 的 Angular/Node 网络应用程序。该应用程序于大约 3 周前作为 "beta version" 市场验证发布,并且在测试版中非常成功。它不会取得商业上的成功,只是一个有趣的应用程序,可以让人们的生活更轻松一些。我有一个 issue/concern,我应该隐藏我的 YouTube V3 API 密钥、客户端 ID 和范围吗?或者我可以假设因为只有我的域名被列入白名单,潜在的 hackers/people 试图使用 API 密钥的人将无法拨打任何电话或造成任何损害,所以我有有什么好担心的?
这些是我担心的具体电话(不是真正的 ids/keys)
Index.html 脚本标签
var OAUTH2_CLIENT_ID ='_#H#RJHWEJFHEFUIEHFUHEFHEJFU.apps.googleusercontent.com';
var OAUTH2_SCOPES = ['https://www.googleapis.com/auth/youtube'];
在Angular、Controller.js
.value('google_api_key', 'jfasdkjfdnstnewurweqjtndi')
gapi.client.setApiKey(google_api_key);
对于Simple Access到GoogleAPIs,APIkey是请求所需的唯一凭证,是一个唯一标识符 的 app/project。它提供 API 访问权限并受配额限制。
你应该保守秘密!
如果您只有客户端应用程序(没有服务器),请使用 OAuth 2.0 Client-side Flow
Best practices for securely using API keys:
When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:
Do not embed API keys directly in code
API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.
Do not store API keys in files inside your application's source tree
If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub.
Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them
By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the Google Developers Console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.
Delete unneeded API keys
To minimize your exposure to attack, delete any API keys that you no longer need.
Regenerate your API keys periodically
You can regenerate API keys from the Google Developers Console by opening the Credentials page and clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys.
Review your code before publicly releasing it
Ensure that your code does not contain API keys or any other private information before you make your code publicly available.
我正准备启动一个使用 YouTube V3 API 的 Angular/Node 网络应用程序。该应用程序于大约 3 周前作为 "beta version" 市场验证发布,并且在测试版中非常成功。它不会取得商业上的成功,只是一个有趣的应用程序,可以让人们的生活更轻松一些。我有一个 issue/concern,我应该隐藏我的 YouTube V3 API 密钥、客户端 ID 和范围吗?或者我可以假设因为只有我的域名被列入白名单,潜在的 hackers/people 试图使用 API 密钥的人将无法拨打任何电话或造成任何损害,所以我有有什么好担心的?
这些是我担心的具体电话(不是真正的 ids/keys)
Index.html 脚本标签
var OAUTH2_CLIENT_ID ='_#H#RJHWEJFHEFUIEHFUHEFHEJFU.apps.googleusercontent.com';
var OAUTH2_SCOPES = ['https://www.googleapis.com/auth/youtube'];
在Angular、Controller.js
.value('google_api_key', 'jfasdkjfdnstnewurweqjtndi')
gapi.client.setApiKey(google_api_key);
对于Simple Access到GoogleAPIs,APIkey是请求所需的唯一凭证,是一个唯一标识符 的 app/project。它提供 API 访问权限并受配额限制。
你应该保守秘密!
如果您只有客户端应用程序(没有服务器),请使用 OAuth 2.0 Client-side Flow
Best practices for securely using API keys:
When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:
Do not embed API keys directly in code
API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.
Do not store API keys in files inside your application's source tree
If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub.
Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them
By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the Google Developers Console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.
Delete unneeded API keys
To minimize your exposure to attack, delete any API keys that you no longer need.
Regenerate your API keys periodically
You can regenerate API keys from the Google Developers Console by opening the Credentials page and clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys.
Review your code before publicly releasing it
Ensure that your code does not contain API keys or any other private information before you make your code publicly available.