问题
I'm looking at the following guide: https://developers.google.com/youtube/v3/getting-started
The first step of interacting with YouTube's API is:
You need a Google Account to access the Google Developers Console, request an API key, and register your application.
And they continue on to show an example where they use the key:
URL: https://www.googleapis.com/youtube/v3/videos?id=7lCDEYXw3mM&key=YOUR_API_KEY &part=snippet,contentDetails,statistics,status
I have a client-side application which is used by many people. The application issues search requests to YouTube's API. YouTube's API has a request limit of 50 million requests per day.
Since it's a client-side application, my API key is embedded into the code.
Today, a malicious user scripted something to max out the requests:
I'm wondering what recourse I have to be able to defend against this sort of activity. Is my only option to host a server, route all needs for YouTube's API through my server, and deny requests when they come too frequently?
I have real concerns about implementing something like that. It would effectively double the wait time for every API request and also tax the server a seemingly unnecessary amount, but perhaps it is needed.
Do I have any other options available to me?
Thanks
回答1:
This was due to a quota cost increase, it's temporarily reverted. We'll announce cost changes in http://apiblog.youtube.com/ and https://developers.google.com/youtube/v3/revision_history going forward.
回答2:
Don't think it is a malicious user. I think something's wrong on YouTube's side, since I'm seeing exactly the same issue with API requests made from my app
回答3:
You can use restriction to secure your API Key.
Use the REFERERS attribute of the public API key. Go to your project in console developers -> API&Auth -> Credentials
- If you use Key for browser applications,
REFERERSis a reference to a domain. - If you use Server key,
REFERERSis a reference to a IP. (ip of your server for example)
For example, if you use github.io to make live demo of an application, REFERERS will point on http://user.github.io/*
You can read more register your application
Use a server key if your application runs on a server. Do not use this key outside of your server code. For example, do not embed it in a web page. To prevent quota theft, restrict your key so that requests are only allowed from your servers' source IP addresses.
Use a browser key if your application runs on a client, such as a web browser. To prevent your key from being used on unauthorized sites, only allow referrals from domains you administer.
A screen to help you :
回答4:
It appears to be a major bug. Same problem here - quota usage spiked like crazy starting on Sept. 3 and requests now cost WAY more than the documentation states.
Someone reported it as a defect in their bug tracking system. I suggest everyone affected go there and star the defect to help call attention to it:
- https://code.google.com/p/gdata-issues/issues/detail?id=6623&q=label%3AAPI-YouTube&sort=-id&colspec=API%20ID%20Type%20Status%20Priority%20Stars%20Summary
回答5:
I propose the following ideas:
- You can make sure the user accessing your page is a human (with Captcha, etc.)
- Hide your API call behind an AJAX call that is triggered by your front-end (like GET /callgoogleapi);
- The handler of AJAX call can set a frequency threshold, i.e. 2 requests per second. If too fast, the API call is not made, and AJAX replies a message like "User operation too fast".
回答6:
That is correct. When you make your key make sure you use the REFERERS so that even if they do get your key it will not work for them!
回答7:
We also see this error, it seems to be too large deviations. results Overview is 813.844, but the APIs are Used 49,379,348 of 50,000,000 requests today
来源:https://stackoverflow.com/questions/25657111/protecting-youtube-v3-api-key-in-a-client-side-application