javascript 在 jQuery ajax 请求中保护和/或加密(隐藏)POST 变量
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5327054/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Securing and/or encrypting (hiding) POST variables in a jQuery ajax request
提问by davidadamojr
I have an invite form on a web application I am working on. This invite form requires the user to select an email account and then enter a username and a password. These details are sent as POST variables via an ajax request using jQuery. The problem is that I can see the entered password (as well as other POST variables) in plain text using mozilla plugin FireBug.
我正在处理的 Web 应用程序上有一个邀请表。此邀请表要求用户选择一个电子邮件帐户,然后输入用户名和密码。这些详细信息通过使用 jQuery 的 ajax 请求作为 POST 变量发送。问题是我可以使用 mozilla 插件 FireBug 以纯文本形式查看输入的密码(以及其他 POST 变量)。
I believe being able to see the password in plain text (in Firebug) is not ideal. Is there anyway I can prevent this? I tried making the ajax call FROM a page served over HTTPS and made the request over HTTPS as well but I can still see all the POST variables in plain text in Firebug.
我相信能够以纯文本形式(在 Firebug 中)看到密码并不理想。无论如何我可以防止这种情况吗?我尝试从通过 HTTPS 提供服务的页面进行 ajax 调用,并通过 HTTPS 发出请求,但我仍然可以在 Firebug 中以纯文本形式看到所有 POST 变量。
Is there some way I could encrypt these variables client-side and then decrypt them on the server-side? Or is there some other solution?
有什么方法可以在客户端加密这些变量,然后在服务器端解密它们?或者有其他解决方案吗?
回答by krtek
If you're using HTTPS, there's no need to worry (as long as HTTPS is properly setup, but this isn't relevant to this question).
如果您使用的是 HTTPS,则无需担心(只要正确设置了 HTTPS,但这与此问题无关)。
You can see the values in Firebug because Firebug can see the headers sent by your browser, but no one except the browser can read these data.
您可以在 Firebug 中看到这些值,因为 Firebug 可以看到您的浏览器发送的标头,但除了浏览器之外没有人可以读取这些数据。
Actually, you can't hide the value from Firebug, because the browser has to know what to send and Firebug can access everything your browser can.
实际上,您无法对 Firebug 隐藏该值,因为浏览器必须知道要发送什么,而Firebug 可以访问您的浏览器可以访问的所有内容。
回答by Zed
You will always be able to see all of your variables in Firebug. It only means that anyone would only see his ownpassword if he uses Firebug so it is not a vulnerability.
您将始终能够在 Firebug 中看到所有变量。这仅意味着任何人只有在使用 Firebug 时才能看到他自己的密码,因此这不是漏洞。
Don't reinvent the TLS/SSL. Just use HTTPS and it will do just that: encrypt these variables client-side and then decrypt them on the server-side.
不要重新发明 TLS/SSL。只需使用 HTTPS,它就会做到这一点:在客户端加密这些变量,然后在服务器端解密它们。
回答by mr_eclair
You are using Firebug at client side for testing and if you are using HTTPS to send post data so that will be in encrypted form while sending to the server so you don't have to worry there isn't possibility of middle-man sniffing attack to retrive the password in plain text if you are using HTTPS.
您在客户端使用 Firebug 进行测试,并且如果您使用 HTTPS 发送发布数据,以便在发送到服务器时以加密形式发送数据,因此您不必担心中间人嗅探攻击的可能性如果您使用 HTTPS,则以纯文本形式检索密码。
You can see the password field in firebug because its on client side browser and all the data are visible to you as a developer.
您可以在 firebug 中看到密码字段,因为它在客户端浏览器中,并且作为开发人员,您可以看到所有数据。
回答by bhushya
May be this page will help: http://www.jcryption.org
可能这个页面会有所帮助:http: //www.jcryption.org
This library allow to encrypt the data & send using ajax get/post, as variables are encrypted, it very hard to guess the data.
该库允许使用 ajax get/post 加密数据并发送,因为变量是加密的,所以很难猜测数据。
Library use public/private key concept with openssl.
图书馆在 openssl 中使用公钥/私钥概念。
I hope this will be helpful for someone
我希望这对某人有帮助
回答by Mushfiqur Rahman
Your variables are encrypted for a tool or software which behaves like as man-in-the-middle. Your browser or browser plugin like firebug or google chromes network request and response monitoring panel doesn't behaves as man-in-the-middle. Rather they are valid client who has the key to decrypt response from server or encrypt the data before sending to server.
您的变量已针对行为类似于中间人的工具或软件进行了加密。您的浏览器或浏览器插件(如 firebug 或 google chromes 网络请求和响应监控面板)的行为与中间人不同。相反,它们是有效的客户端,拥有解密来自服务器的响应或在发送到服务器之前加密数据的密钥。
If you wish to test whether your data are encrypted or not you can use a tool like fiddler or charles as web debugging proxy. Through these tools you can easily see the data going to the https server and response from the server is encrypted.
如果你想测试你的数据是否被加密,你可以使用像 fiddler 或 charles 这样的工具作为网络调试代理。通过这些工具,您可以轻松查看到 https 服务器的数据,并且来自服务器的响应已加密。
回答by Behnam Alavi
I prefer using jsencrypt:
我更喜欢使用jsencrypt:
You can Encrypt all input fields & post data beforesend Ajax using public key. Then Decrypt it server-side with private key.
您可以在使用公钥发送 Ajax之前加密所有输入字段并发布数据。然后用私钥在服务器端解密它。
Note:To improve security it's better to sign(using jsencrypt) the Hashed content(using ex:cryptojs) to achieve Better security.
注意:为了提高安全性,最好签署(使用 jsencrypt)散列内容(使用 ex: cryptojs)以实现更好的安全性。
Hope to be helpful,
希望有所帮助,
