Design And Implementation Of API Protection System Based On OpenResty

With the development of web applications,more and more people like to surf the Internet on the web,because it is more convenient to use the web to surf the Internet than to use the APP.There is no need to download more software,which saves the memory space of the mobile phone.However,while web applications bring convenience to people,they also bring a lot of threats.Because the code in the web page is exposed in the page,the attacker will analyze the code logic and attack,which will affect the web application.Security issues have a big impact.Therefore,the protection of the core code in web pages is particularly important.At present,some protection methods for web attacks are either sacrificing performance in exchange for website security,or adopting extremely passive protection methods,which cannot achieve the ideal protection effect.Therefore,it is necessary to design a new protection method to ensure the safe access of the website without affecting the performance.In this thesis,we have conducted in-depth research on the above problems and proposed a method to protect the core part of the web page,namely,the API request protection.Since the attacker usually analyzes and initiates attacks based on the API request,this thesis designs a method to attack the API on the client side.The request is signed and encrypted,and the protection method of intercepting illegal requests by verifying whether the signature is correct on the server side realizes the safe access of users without affecting the performance of the website.The specific work mainly includes the following three aspects:(1)Analysis of API protection methods.Based on WAF's low interception rate for illegal API requests,this thesis proposes a trusted client-based protection method,and implements the trusted client's protection through signature encryption,and finally verifies the trusted client's protection method against malicious requests.The interception rate is far greater than the interception rate of the WAF protection method for malicious requests.(2)Designed and implemented the API protection system.Binary Web Assembly technology is used on the client to implement the AES algorithm signature logic to avoid the possibility of the client code being used by hackers.In the Open Resty platform,the signature is verified and the request forwarding is completed,and the API protection system is implemented.(3)System testing and analysis.Complete the test for each function proposed by the system requirement analysis,compare the protection effect of this system with the protection effect of API protection method,and verify through experiments that the protection effect of this system is much better than that of WAF.Finally,this paper verifies that the system can effectively solve the problem of low interception rate of illegal API requests through comparative experiments of design protection effects.In addition,this thesis demonstrates the effectiveness of using signature encryption to implement trusted client access for protecting Web servers.The research of this system will provide some help for future Web security research.