我正在使用Fiddler工具,我正在获取API请求并使用参数进行响应,甚至认为它的HTTPS Web应用程序。如何避免这种情况,我不想通过使用任何代理工具显示我的API请求和标头。你能指导我吗
答案 0 :(得分:0)
What you want is not possible.
Your API is called from the client. Anything on the client is controlled by the owner of such client, ie. your enduser. He may choose to run the client side of your application as your server sends it (the normal way most people do :) ), or he may decide to investigate, understand or modify any client-side code. This obviously includes getting to know your API as well.
To put it another way, the client (ie. the application in the client browser) needs to know how to talk to the API. But the client browser with the application is fully controlled by the client user, so he will also have this knowledge.
The good thing is, you have no reason to hide your API structure. If security is implemented properly, your API endpoints and calls can be public and your application will still be secure.
As a sidenote, HTTPS doesn't help here. Think of HTTPS as a tunnel, nobody can look through the walls, but anybody can look into the tunnel at both ends. One end is your server, but the other is the client. So Fiddler installed on the client can look into HTTPS traffic from/to that client (it is actually a little bit more complex, but let's go with this for now). However, Fiddler or anything else cannot look into HTTPS traffic between endpoints the Fiddler user doesn't control (again, this is somewhat simplified). So in short, HTTPS is secure if configured correctly, but it only secures the channel, and endpoints are out of scope for HTTPS.