blocks|key|5427550|text|如果你不想实现用户帐户，让那些想要使用api的用户注册一个api密钥/密钥，你可以使用它来进行速率限制。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|5427551|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

If you don't want to implement user accounts, how about having those that want to use the api sign up for an api key/secret, which you can use to rate limit with.

blocks|key|2277237|text|查看OAuth。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|2277238|entityMap|0|LINK|mutability|MUTABLE|url|http://oauth.net/^0|2|5|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@$A|M|B|N|1|O]]|C|$]]|$1|D|3|-4|5|6|7|P|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]]]

Check out <a href="http://oauth.net/" rel="noreferrer">OAuth</a>.

blocks|key|3315435|text|查看开源应用程序接口管理工具，如apiGrove；apiGrove.net或GitHub上的apigrove.github.com/apigrove。apiGrove支持多种接口保护方式，包括IP白名单和密钥授权。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|3315436|entityMap|0|LINK|mutability|MUTABLE|url|http://apigrove.github.com/apigrove^0|1A|S|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@$A|M|B|N|1|O]]|C|$]]|$1|D|3|-4|5|6|7|P|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]]]

Check out an open source API management tool like apiGrove; apiGrove.net or on GitHub at <a href="http://apigrove.github.com/apigrove" rel="nofollow">apigrove.github.com/apigrove</a>. apiGrove supports a variety of approaches to API protection, including IP whitelist and authorization by key.

blocks|key|3315312|text|在我工作过的一家公司，我们为所有非付费客户实现了节流，每天的请求数量有一定的限制，理论上可以根据API端点进行配置。如果您必须在每个请求中提供唯一的ID作为应用程序密钥，则在轻量级API的QueryString中或在POST请求XML中提供更复杂的API。对于不使用公共API的最终用户，您可以改为传递身份验证令牌。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3315313|如果您提供一个公共API而不需要某种身份验证或授权，那么您将不得不求助于基于IP地址的节流。但创建一个允许人们注册API访问的轻量级配置网页并不难。|3315314|您的应用程序逻辑可以根据请求的数量进行调节，就像我们一样，或者每天的带宽，就像Flickr一样。|3315315|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|H|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|I|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|J|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|G|$]]

At one company I worked for, we implemented throttling for all non-paying customers, with a limit of a certain number of requests per day, theoretically configurable per API endpoint. If You had to supply a unique ID as your application key in each request, in the QueryString for lightweight APIs or in the POST request XML for more complex APIs. For end-users not using a public API, you could pass an authentication token instead.

If you supply a public API without requiring some kind of authentication or authorization, you'll have to resort to IP-address based throttling. But it's not hard to create a lightweight provisioning web page that allows people to sign up for API access.

Your application logic can throttle based on number of requests, like we did, or daily bandwidth, like Flickr does.

blocks|key|363814|text|需要令牌才能上传，并使用验证码限制令牌。使用代码应该是这样的：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|363815|//+1st+request
var+uploadToken+=+api.RequestToken(sessionIdFromUser);
if+(uploadToken.RequireChallenge)+{
+++//+requires+challenge+due+to+per+IP+limiting
+++//+uploadToken.Captcha+could+be+a+URL
+++DisplayView(uploadToken.Captcha,+uploadToken.SessionId);+
+++return;
}
api.Upload(uploadToken,+captchaFromUser,+byte[]);|code-block|syntax|javascript|363816|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

Require a token to upload, and restrict the token with a CAPTCHA. Consuming code would be something like:

<pre><code>// 1st request
var uploadToken = api.RequestToken(sessionIdFromUser);
if (uploadToken.RequireChallenge) {
 // requires challenge due to per IP limiting
 // uploadToken.Captcha could be a URL
 DisplayView(uploadToken.Captcha, uploadToken.SessionId); 
 return;
}
api.Upload(uploadToken, captchaFromUser, byte[]);
</code></pre>

blocks|key|5427662|text|正如其他人在这个帖子中提到的那样，API密钥通常是这种情况下的解决方案。您站点没有用户帐户这一事实并不重要:+API密钥标识应用程序，而不是用户。(事实上，如果你的站点确实有用户，你需要单独的机制来识别应用程序和应用程序接口调用中的用户-这是OAuth非常有用的地方)。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|5427663|如果您不想创建自己的开发人员注册流程、API密钥发布流程、节流代码等，我建议您看看我的公司WebServius+(www.webservius.com)，它在您提供的API之上提供了托管API管理层。|5427664|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

As others have mentioned on this thread, API keys is often the way to go in such situations. The fact that your site has no user accounts doe not matter: an API key identifies an application, and not a user. (In fact, if your site did have users, you woud need separate mechanisms to identify the app and the user in an API call - this is where OAuth is very helpful).

If you do not want to create your own developer registration process, API key issuing process, throttling code, etc., I would encourage you to take a look at my company, WebServius (www.webservius.com), that provides a hosted API management layer on top of an API you provide.

blocks|key|3315451|text|对于使用.NET开发的API，可以使用API+Protector+.NET。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|3315452|请看这个答案：https://stackoverflow.com/a/56075128/1679165|3315453|entityMap|0|LINK|mutability|MUTABLE|url|https://apiprotector.net/|1|https://stackoverflow.com/a/56075128/1679165^0|J|I|0|0|7|18|1|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@$A|Q|B|R|1|S]]|C|$]]|$1|D|3|E|5|6|7|T|8|@]|9|@$A|U|B|V|1|W]]|C|$]]|$1|F|3|-4|5|6|7|X|8|@]|9|@]|C|$]]]|G|$H|$5|I|J|K|C|$L|M]]|N|$5|I|J|K|C|$L|O]]]]

For APIs developed in .NET, you can use <a href="https://apiprotector.net" rel="nofollow noreferrer">API Protector .NET</a>.

See this answer: <a href="https://stackoverflow.com/a/56075128/1679165">https://stackoverflow.com/a/56075128/1679165</a>

Hey everyone, I run an image hosting website and I'm designing an API for it. My concern is that I don't want anyone to be able to do something like:

<pre><code>while(true) { 
 Upload();
}
</code></pre>

and spam/DoS the site.

My current solution is to limit all IP addresses to a certain amount of uploads per day/hour. I believe this will work fine for desktop applications that will use the API, but for websites that wish to use it, all the users will have the same IP (the server's).

I suppose the best solution would be to have user accounts that authenticate with the API, and then ban each account if they abuse it. The problem with this is that my site has no user accounts at all, it's all completely anonymous.

What else can be done? I would like to keep things as open as possible, while at the same time have the ability to ban users/IPs who are obviously abusing the service.

How would I protect an API from abuse?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

教程

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云智能顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云AI代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

功能1上新10个字符

功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符。

功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符。

功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符

功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符

功能4上新

文章&问答评论现已支持表情

全新交互，全新视觉，新增快捷键、悬浮工具栏、高亮块等功能并同时优化现有功能，全面提升创作效率和体验

社区富文本编辑器全新改版！诚邀体验～ 

精选全网热门MCP server，让你的AI更好用 🚀

💥开发者 MCP广场重磅上线！

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

聚焦“写作效率、视觉美观与运行性能”三方面进行全面升级，为您提供更高效、稳定的创作环境

社区富文本&Markdown编辑器全新改版上线，欢迎大家体验!

诚挚邀请您参与本次调研，分享您的真实使用感受与建议。您的反馈至关重要，感谢您的支持与参与！

社区新版编辑器体验调研

大家好，我正在运行一个图片托管网站，我正在为它设计一个API。我担心的是，我不希望任何人能够做这样的事情：while(true) {     Upload();}和垃圾邮件/拒绝服务的网站。我目前的解决方案是将所有IP地址限制在每天/小时一定数量的上传。我相信这对于将使用API的桌面应用程序将会工作得很好，但是对于希望使用它的网站，所有的用户都将拥有相同的IP (服务器的)。我认为最好的解决方案是

问如何保护API不被滥用？
EN

回答 7

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何保护API不被滥用？EN

回答 7

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何保护API不被滥用？
EN